impersonation using kerberos

[Laurence]

Hi,

I have been pulling my hair out for ages on this one, so please help.

I am trying to connect to a SQL server throu IIS using impersonation.

I am sure I have done 99% of what is needed to do this and still can not get
it to work.

So what have I done.

I have a pure 2003 domain
I have DNS configured and working (as far as I can see correctly)
I have set all the computers to be able to delegat
I have set all the computer accounts to be able to delegate
I have a web site based in windows sharepoint services that works quite
happily when only doing a single hop.

However when I try to do a double hop I get the dreaded 'Login failed for
user (null)' - imlpying its a double hop issue.

I have set SPN's (I think) for all services and users.

However when using the Microsoft AuthDiag diagnostic tool, I get an error
saying 'Service prinsipal name (SPN) for user 'MyDomain\MyUser' not found
inactive directory'

I have sorted all other imperonation error messages but not this one.

If I look at the 'MyDomain\MyUser' using ADSI edit the servicePrincipalName
field contains

HOST/MyUser
HOST/MyUser.MyDomain
HTTP/MyIISMachine.MyDomain.co.uk

So is it that

1). The SPN is wrong - if so what should it be
2). The spn is correct and the diag too is reporting a different error?

 

[Guest]

Assuming this is an ASP.NET front end, where ASP.NET runs as NETWORK SERVICE
(2003)... Make sure you have granted the IIS computer account premissions to
the database. Since IIS needs to authenticate, it cannot authenticate with
the local NETWORK SERVICE account. You need to grant the computer's domain
account access to the database. If you have done this, then check the
following.

Is the SQL instance running under a domain user account or SYSTEM? If it is
running under a domain user account, you need to register an SPN for the SQL
instance to that domain user account. I had this problem with a SQL/IIS pair
I had worked on. Once I registered the SQL instance to the domain user
account of which the SQL service was running under, the IIS server was able
to authenticate using its computer account (IISSERVER$).

Use setspn.exe to list SPNs registered to domain user "SQLUser":

setspn.exe -L DOMAIN\SQLUser

To add a SQL SPN:

setspn.exe -A MSSQLSvc/SQLSERVER.domain.com:1433 DOMAIN\SQLUser
{Assigns SQN SQL instance on port 1433 to DOMAIN user "SQLUser"}

 

[Laurence]

The saga continues

After checking in triplicate everything again.....

and then finding out you can enable kerberos event logging....

I seem to have a couple of possible issues.

1. this kerberos error appears on my IIS box

KDC_ERR_S_PRINCIPAL_UNKNOWN

this would seem to imply the spn is incorrect for the SQL server, which
using ADSI for my account domain\svc_sql contains

MSSQLSvc\ComputerName.domain.co.uk:1433

and for the computer account contains

MSSQLSvc\ComputerName.domain.co.uk:1433

Are these wrong? duplicated? How do you check the kerberos database?

2. This error appears on my SQL box

KDC_ERR_BADOPTION

Why can it not accomodate the request option?

Any thoughts greatfully appreciated


Kerberos V5 Authentication Protocol Error Messages Generated by Windows
Server 2003


Kerberos Error Number Kerberos Error Code Description
0x3
KDC_ERR_BAD_PVNO
Requested protocol version number not supported.

0x6
KDC_ERR_C_PRINCIPAL_UNKNOWN
Client not found in Kerberos database.

0x7
KDC_ERR_S_PRINCIPAL_UNKNOWN
Server not found in Kerberos database.

0x8
KDC_ERR_PRINCIPAL_NOT_UNIQUE
Multiple principal entries in database.

0xA
KDC_ERR_CANNOT_POSTDATE
Ticket not eligible for postdating.

0xB
KDC_ERR_NEVER_VALID
Requested start time is later than end time.

0xC
KDC_ERR_POLICY
KDC policy rejects request.

0xD
KDC_ERR_BADOPTION
KDC cannot accommodate requested option.

0xE
KDC_ERR_ETYPE_NOSUPP
KDC has no support for encryption type.

0xF
KDC_ERR_SUMTYPE_NOSUPP
KDC has no support for checksum type.

0x10
KDC_ERR_PADATA_TYPE_NOSUPP
KDC has no support for pre-authentication data type.

0x12
KDC_ERR_CLIENT_REVOKED
Client's credentials have been revoked.

0x17
KDC_ERR_KEY_EXPIRED
Password has expired - change password to reset.

0x18
KDC_ERR_PREAUTH_FAILED
Pre-authentication information was invalid.

0x19
KDC_ERR_PREAUTH_REQUIRED
Additional pre-authentication required.

0x1B
KDC_ERR_MUST_USE_USER2USER
Server principal valid for user-to-user only.

0x1C
KDC_ERR_PATH_NOT_ACCPETED
KDC Policy rejects transited path.

0x1D
KDC_ERR_SVC_UNAVAILABLE
A service is not available.

0x1F
KRB_AP_ERR_BAD_INTEGRITY
Integrity check on decrypted field failed.

0x20
KRB_AP_ERR_TKT_EXPIRED
Ticket expired.

0x21
KRB_AP_ERR_TKT_NYV
Ticket not yet valid.

0x22
KRB_AP_ERR_REPEAT
Request is a replay.

0x23
KRB_AP_ERR_NOT_US
The ticket isn't for us.

0x24
KRB_AP_ERR_BADMATCH
Ticket and authenticator do not match.

0x25
KRB_AP_ERR_SKEW
Clock skew too great.

0x28
KRB_AP_ERR_MSG_TYPE
Invalid message type.

0x29
KRB_AP_ERR_MODIFIED
Message stream modified.

0x34
KRB_ERR_RESPONSE_TOO_BIG
Response too big for UDP, retry with TCP.

0x3C
KRB_ERR_GENERIC
Generic error (description in e-text).

0x44
KDC_ERR_WRONG_REALM
User-to-user TGT issued different KDC.