0

I need to pass the credentials (Integrated Windows Authentication) from a django website on IIS onto a backend SQL server so that it runs under the proper user context.

This is how my setup looks so far:

  1. Running SQL Server on sql_sever.domain.com under a service account domain\svc_sqlserver
  2. Running Django website on app_server.domain.com using IIS under a service account domain\svc_appserver with Windows authentication and ASP.Net Impersonation (Providers is set to Negotiate:Kerberos -> Negotiate -> NTLM ) with useAppPoolCredentials=True
  3. Connecting to SQL server from django using Windows authentication by setting Trusted_Connection=yes in the connection
  4. Configured SPNs for Kerberos authentication both for domain\svc_sqlserver and domain\svc_appserver as follows:

    setspn -a HTTP/app_server                          domain\svc_appserver
    setspn -a HTTP/app_server.domain.com               domain\svc_appserver
    setspn -a MSSQLSvc/sql_server.domain.com:PORT      domain\svc_sqlserver
    setspn -a MSSQLSvc/sql_server.domain.com:INSTANCE  domain\svc_sqlserver
    setspn -a MSSQLSvc/sql_server.domain.com           domain\svc_sqlserver
    
  5. Trusted both svc_sqlserver and svc_appserver for delegation to MSSQLSvc services and additionally for domain\svc_appserver I added HTTP services too (from the above list)

Result:

  1. Kerberos authentication works on SQL Server. Confirmed by looking at auth scheme of connected users
  2. Kerberos authentication works on Django website. Confirmed by inspecting WWW-Authenticate response header and Authorization request header (Negotiate is being correctly used)
  3. Sql server runs only under the context of domain\svc_appserver when it should be running under domain\remote_user

I've been working on this for more than a week now but for the life of me, I can't figure out how to pass authenticated user's context from IIS to SQL Server. I went through hundreds of links I found online and I'm not sure what to do at this point.

Is there anything else that I'm missing? Is there any way in Django to set the user's context before establishing connection to database? If anyone can help, I'd really appreciate. Thanks!

I'm using:

notarobot
  • 41
  • 6
  • DelegConfig can be used to validate the KCD configuration. https://www.iis.net/downloads/community/2009/06/delegconfig-v2-beta-delegation-kerberos-configuration-tool . Also, "Negotiate" in the WWW-Authenticate header does not confirm that a Kerberos token is used. https://serverfault.com/a/440050/20701 . If it's NTLM, it isn't going to work. – Greg Askew Aug 31 '18 at 19:10
  • @GregAskew I set Provider to only `Negotiate:Kerberos` too and it works. So i'm pretty sure Kerberos is working. However, I got the answer for the same question from [here](https://stackoverflow.com/questions/52120859/kerberos-double-hop-delegation-from-iis-to-sql-server-using-django). Thanks! – notarobot Sep 04 '18 at 12:54

0 Answers0