Calling Kerberos experts!

[kristanm]

I have a problem with delegation in an 3 tier client-webserver-database
server environment.

Basically I have impersonation working through so that MyDomain\UserA
using IE on their PC is impersonated at the DB level so SQL sees the NT
user as MyDomain\UserA. This works fine most of the time, but there
seems to be some kind of timeout issue, if we leave IE alone for a
while, I get the
"login failed for NT Authority\Anonymous Login" error. Refreshing the
page doesn't fix it, you have to close IE and open it again, and the
users don't really like the fix It's not the .net ASP session timing
out as that's set to 9999 minutes, and seems to happen after about 15.

I'm really confused as to where to look do correct this, as I would
have thought anything wrong with the setup would have prevented it
working at all.

I'm rebooting the webserver at the weekend to put kerberos logging on
to see what tickets are getting issued/requested etc. but I'm rapidly
running out of ideas and am fairly out of my depth with technical
kerberos details.

Is there any kind of timeout issue that anyone has come across or ideas
where to look for the configuration?

Thanks in advance,

Kristan

 

[Ace Fekay [MVP]]

In

I have a problem with delegation in an 3 tier
client-webserver-database server environment.

Basically I have impersonation working through so that MyDomain\UserA
using IE on their PC is impersonated at the DB level so SQL sees the
NT user as MyDomain\UserA. This works fine most of the time, but there
seems to be some kind of timeout issue, if we leave IE alone for a
while, I get the
"login failed for NT Authority\Anonymous Login" error. Refreshing the
page doesn't fix it, you have to close IE and open it again, and the
users don't really like the fix It's not the .net ASP session
timing out as that's set to 9999 minutes, and seems to happen after
about 15.

I'm really confused as to where to look do correct this, as I would
have thought anything wrong with the setup would have prevented it
working at all.

I'm rebooting the webserver at the weekend to put kerberos logging on
to see what tickets are getting issued/requested etc. but I'm rapidly
running out of ideas and am fairly out of my depth with technical
kerberos details.

Is there any kind of timeout issue that anyone has come across or
ideas where to look for the configuration?

Thanks in advance,

Kristan

I don't think Kerberos will help you here. I'm not exactly sure where the
problem maybe, but I think it can be due to the session timing out on the
webserver side in the website properties in IIS. Do you have a time-out set
as well for when the page expires?

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

If this post is viewed at a non-Microsoft community website, and you were to
respond to it through that community's website, I may not see your reply
unless that website posts replies back to the original Microsoft forum.
Therefore, please direct all replies ONLY to the Microsoft public newsgroup
this thread originated in so all can benefit or ensure the web community
posts it back to the original forum.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Microsot Certified Trainer
Infinite Diversities in Infinite Combinations.
=================================