Delegation: the usual double hop question...

Is there anything in #2 that gives you an idea?

http://blogs.msdn.com/nunos/archive/.../12/88468.aspx

"JimLad" <ja*********@yahoo.co.ukwrote in message
news:11**********************@k70g2000cwa.googlegr oups.com...

In advance, sorry if this is the wrong group...

SQL Server 2000 SP3 on Server 2003. SQL Account and Computer both
Trusted for Delegation. Given SPN.

IIS 5.0 on W2000. Kerberos enabled. Computer Trusted for Delegation.
Integrated Windows Authentication selected. Medium pooled. Not the
default website - using IP address to connect from client.
IWAN_<computernamelocal account is running as part of operating
system and trusted for delegation. (Does anything need to be SPN'd?)

ASP App using trusted ADO connections (impersonation by default as
classic ASP)

User (me) Trusted for Delegation on a client XPSP2 machine. IE6
Kerberos enabled. Proxy bypassed for local addresses.

Getting the classic Double Hop. Any ideas???? You'd think there'd be
some better error messages!

Cheers,

James

Hi Ken,

Thnaks but I've been through a lot of the Microsoft documentation.
Incidently the most useful was:

http://www.microsoft.com/technet/pro...del.mspx#ETUAG
Some specific questions: -

I have seen a lot written about using FQDNs for Kerberos.
Does this mean that in my ADO and ADO.NET connection strings I need to
specify a fuller ServerName?

Can I use IP addresses and ports with kerberos?
i.e. I think I can use these:
http://computername.domainname
http://hostname
but can I use these?
http://IPAddress
http://computername.domainname:81
http://computername

I am running IIS5.0 and IIS6.0 (different web servers but both need to
delegate), so need answers for both of these. I am running apps medium
pooled and probably running services using the default accounts.

So I am a little unclear on what SPNs I need to register for IIS, ASP,
ASP.NET etc. Currently only the 2 server SPNs (FQDN and NetBIOS) are
registered. And also what accounts I need to change security settings
on?

Oh and while we're talking about this, I suppose you can use delegation
with SQL Virtual Directories? Otherwise this is all pointless.

Cheers,

James

Ken Cox [Microsoft MVP] wrote:

Is there anything in #2 that gives you an idea?

http://blogs.msdn.com/nunos/archive/.../12/88468.aspx

"JimLad" <ja*********@yahoo.co.ukwrote in message
news:11**********************@k70g2000cwa.googlegr oups.com...

In advance, sorry if this is the wrong group...

SQL Server 2000 SP3 on Server 2003. SQL Account and Computer both
Trusted for Delegation. Given SPN.

IIS 5.0 on W2000. Kerberos enabled. Computer Trusted for Delegation.
Integrated Windows Authentication selected. Medium pooled. Not the
default website - using IP address to connect from client.
IWAN_<computernamelocal account is running as part of operating
system and trusted for delegation. (Does anything need to be SPN'd?)

ASP App using trusted ADO connections (impersonation by default as
classic ASP)

User (me) Trusted for Delegation on a client XPSP2 machine. IE6
Kerberos enabled. Proxy bypassed for local addresses.

Getting the classic Double Hop. Any ideas???? You'd think there'd be
some better error messages!

Cheers,

James

Hi Ken,

Thnaks but I've been through a lot of the Microsoft documentation.
Incidently the most useful was:

http://www.microsoft.com/technet/pro...del.mspx#ETUAG
Some specific questions: -

I have seen a lot written about using FQDNs for Kerberos.
Does this mean that in my ADO and ADO.NET connection strings I need to
specify a fuller ServerName?

Can I use IP addresses and ports with kerberos?
i.e. I think I can use these:
http://computername.domainname
http://hostname
but can I use these?
http://IPAddress
http://computername.domainname:81
http://computername

I am running IIS5.0 and IIS6.0 (different web servers but both need to
delegate), so need answers for both of these. I am running apps medium
pooled and probably running services using the default accounts.

So I am a little unclear on what SPNs I need to register for IIS, ASP,
ASP.NET etc. Currently only the 2 server SPNs (FQDN and NetBIOS) are
registered. And also what accounts I need to change security settings
on?

Oh and while we're talking about this, I suppose you can use delegation
with SQL Virtual Directories? Otherwise this is all pointless.

Cheers,

James

Ken Cox [Microsoft MVP] wrote:

Is there anything in #2 that gives you an idea?

http://blogs.msdn.com/nunos/archive/.../12/88468.aspx

"JimLad" <ja*********@yahoo.co.ukwrote in message
news:11**********************@k70g2000cwa.googlegr oups.com...

In advance, sorry if this is the wrong group...

SQL Server 2000 SP3 on Server 2003. SQL Account and Computer both
Trusted for Delegation. Given SPN.

IIS 5.0 on W2000. Kerberos enabled. Computer Trusted for Delegation.
Integrated Windows Authentication selected. Medium pooled. Not the
default website - using IP address to connect from client.
IWAN_<computernamelocal account is running as part of operating
system and trusted for delegation. (Does anything need to be SPN'd?)

ASP App using trusted ADO connections (impersonation by default as
classic ASP)

User (me) Trusted for Delegation on a client XPSP2 machine. IE6
Kerberos enabled. Proxy bypassed for local addresses.

Getting the classic Double Hop. Any ideas???? You'd think there'd be
some better error messages!

Cheers,

James

Hi Jim,

You're probably better off to post this in the Security newsgroup where they
deal with permissions all the time.

Ken

"JimLad" <ja*********@yahoo.co.ukwrote in message
news:11**********************@k70g2000cwa.googlegr oups.com...

Hi Ken,

Thnaks but I've been through a lot of the Microsoft documentation.
Incidently the most useful was:

http://www.microsoft.com/technet/pro...del.mspx#ETUAG
Some specific questions: -

I have seen a lot written about using FQDNs for Kerberos.
Does this mean that in my ADO and ADO.NET connection strings I need to
specify a fuller ServerName?

Can I use IP addresses and ports with kerberos?
i.e. I think I can use these:
http://computername.domainname
http://hostname
but can I use these?
http://IPAddress
http://computername.domainname:81
http://computername

I am running IIS5.0 and IIS6.0 (different web servers but both need to
delegate), so need answers for both of these. I am running apps medium
pooled and probably running services using the default accounts.

So I am a little unclear on what SPNs I need to register for IIS, ASP,
ASP.NET etc. Currently only the 2 server SPNs (FQDN and NetBIOS) are
registered. And also what accounts I need to change security settings
on?

Oh and while we're talking about this, I suppose you can use delegation
with SQL Virtual Directories? Otherwise this is all pointless.

Cheers,

James

Ken Cox [Microsoft MVP] wrote:

>Is there anything in #2 that gives you an idea?

http://blogs.msdn.com/nunos/archive/.../12/88468.aspx

"JimLad" <ja*********@yahoo.co.ukwrote in message
news:11**********************@k70g2000cwa.googleg roups.com...

In advance, sorry if this is the wrong group...

SQL Server 2000 SP3 on Server 2003. SQL Account and Computer both
Trusted for Delegation. Given SPN.

IIS 5.0 on W2000. Kerberos enabled. Computer Trusted for Delegation.
Integrated Windows Authentication selected. Medium pooled. Not the
default website - using IP address to connect from client.
IWAN_<computernamelocal account is running as part of operating
system and trusted for delegation. (Does anything need to be SPN'd?)

ASP App using trusted ADO connections (impersonation by default as
classic ASP)

User (me) Trusted for Delegation on a client XPSP2 machine. IE6
Kerberos enabled. Proxy bypassed for local addresses.

Getting the classic Double Hop. Any ideas???? You'd think there'd be
some better error messages!

Cheers,

James