Using host headers for sites and double hop authentication

TheMSsForum.com: The Microsoft Software Forum

I am trying to use host header and still use kerberos authentication to
access a SQL Server database. It authenticate fine to the database when not
using host headers. I believe the problem has to do with setting a SPN.

Can you use host headers for several sites and successfully authenticate
thru to the database using kerberos?

Should a SPN be set matching the host header value?
--
Mark
Top

Re: Using host headers for sites and double hop authentication by Ken

Ken
Sun Mar 05 04:56:57 CST 2006

Yes. Set an SPN for the host header value that you are using to access the
website. Register it under the machine account if you are using one of the
inbuild security principals to run the web app pool (i.e. Network Service,
Localsystem, Local Service), or under the user account that you are using to
run the web app pool if you are using a custom account.

Cheers
Ken

"masmith" <masmith@discussions.microsoft.com> wrote in message
news:5F58FD7D-AC13-40B6-8485-D6242C75F92C@microsoft.com...
:I am trying to use host header and still use kerberos authentication to
: access a SQL Server database. It authenticate fine to the database when
not
: using host headers. I believe the problem has to do with setting a SPN.
:
: Can you use host headers for several sites and successfully authenticate
: thru to the database using kerberos?
:
: Should a SPN be set matching the host header value?
: --
: Mark


Top

Re: Using host headers for sites and double hop authentication by masmith

masmith
Mon Mar 06 09:36:32 CST 2006

I still do not know what I need to use for the SPN.

The application pool account is "Network Service" account.

I have the DelegConfig (Kerberos) from Microsoft to test with.
This is configured both on a default site and a seperate site with a host
header set to a value like name.co.org.
Runing the Kerberos test on both results in:
Valid domain account connecting with Kerberos authentication.
Domain Account <domain>\<server>$(NT AUTHORITY\NETWORK SERVICE)
A usable ServicePrincipalName ...
Account ... is Trusted for Delegation with Kerberos Only ...
Backend
Account ... is a valid domain account.
A usable ServicePrincipalName ... is configured on the ...
The current configuration is correct for Delegation credentials with
Kerberos.

When I switch the site with the host header to point to an ASP.NET
application it authenticates to the site but fails to authenticate to the SQL
Server database. The error is "Login failed for user 'NT AUTHORITY\ANONYMOUS
LOGON'.

When I test with the default site <server name>/<site name>.webpage.aspx it
does the double hop.
When I test with the other configured site with a host header like
name.co.org it fails with "Login failed for user 'NT AUTHORITY\ANONYMOUS
LOGON'.

Thank you for you previous response.
--
Mark


"Ken Schaefer" wrote:

> Yes. Set an SPN for the host header value that you are using to access the
> website. Register it under the machine account if you are using one of the
> inbuild security principals to run the web app pool (i.e. Network Service,
> Localsystem, Local Service), or under the user account that you are using to
> run the web app pool if you are using a custom account.
>
> Cheers
> Ken
>
> "masmith" <masmith@discussions.microsoft.com> wrote in message
> news:5F58FD7D-AC13-40B6-8485-D6242C75F92C@microsoft.com...
> :I am trying to use host header and still use kerberos authentication to
> : access a SQL Server database. It authenticate fine to the database when
> not
> : using host headers. I believe the problem has to do with setting a SPN.
> :
> : Can you use host headers for several sites and successfully authenticate
> : thru to the database using kerberos?
> :
> : Should a SPN be set matching the host header value?
> : --
> : Mark
>
>
>
Top

Re: Using host headers for sites and double hop authentication by Ken

Ken
Mon Mar 13 23:52:05 CST 2006

When using Kerberos authentication, the client (i.e. the user) needs to get
a "service ticket" from the Domain Controller.

When you install IIS, IIS setup will register an SPN for <servername> and
<server.domain.com> with your domain controller.

If you use some /other/ name (e.g. some other arbitrary FQDN) to connect to
the server, you need to register an SPN. This is so that your domain
controller knows about that service name, and can generate the appropriate
service tickets to give to the client machine. the client machine then sends
these to the web server to authenticate. If AD doesn't know about the
service, it can't create the necessary service tickets.

This is why you need to register the SPN using SetSPN.exe

Cheers
Ken


"masmith" <masmith@discussions.microsoft.com> wrote in message
news:AF8B2A3E-6955-4A0F-900F-CA84823F8598@microsoft.com...
:I still do not know what I need to use for the SPN.
:
: The application pool account is "Network Service" account.
:
: I have the DelegConfig (Kerberos) from Microsoft to test with.
: This is configured both on a default site and a seperate site with a host
: header set to a value like name.co.org.
: Runing the Kerberos test on both results in:
: Valid domain account connecting with Kerberos authentication.
: Domain Account <domain>\<server>$(NT AUTHORITY\NETWORK SERVICE)
: A usable ServicePrincipalName ...
: Account ... is Trusted for Delegation with Kerberos Only ...
: Backend
: Account ... is a valid domain account.
: A usable ServicePrincipalName ... is configured on the ...
: The current configuration is correct for Delegation credentials with
: Kerberos.
:
: When I switch the site with the host header to point to an ASP.NET
: application it authenticates to the site but fails to authenticate to the
SQL
: Server database. The error is "Login failed for user 'NT
AUTHORITY\ANONYMOUS
: LOGON'.
:
: When I test with the default site <server name>/<site name>.webpage.aspx
it
: does the double hop.
: When I test with the other configured site with a host header like
: name.co.org it fails with "Login failed for user 'NT AUTHORITY\ANONYMOUS
: LOGON'.
:
: Thank you for you previous response.
: --
: Mark
:
:
: "Ken Schaefer" wrote:
:
: > Yes. Set an SPN for the host header value that you are using to access
the
: > website. Register it under the machine account if you are using one of
the
: > inbuild security principals to run the web app pool (i.e. Network
Service,
: > Localsystem, Local Service), or under the user account that you are
using to
: > run the web app pool if you are using a custom account.
: >
: > Cheers
: > Ken
: >
: > "masmith" <masmith@discussions.microsoft.com> wrote in message
: > news:5F58FD7D-AC13-40B6-8485-D6242C75F92C@microsoft.com...
: > :I am trying to use host header and still use kerberos authentication to
: > : access a SQL Server database. It authenticate fine to the database
when
: > not
: > : using host headers. I believe the problem has to do with setting a
SPN.
: > :
: > : Can you use host headers for several sites and successfully
authenticate
: > : thru to the database using kerberos?
: > :
: > : Should a SPN be set matching the host header value?
: > : --
: > : Mark
: >
: >
: >


Top