|
Home > Archive > IIS Server Security > November 2006 > Impersonation and Delegation with ASP ASP.NET 1.1 IIS6 SQLXML
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Impersonation and Delegation with ASP ASP.NET 1.1 IIS6 SQLXML
|
|
| JimLad 2006-11-17, 7:29 am |
| Hi,
I'm working on Server 2003 servers with XP client. I'm trying to set up
a fairly typical scenario of client - webserver - db server with
Impersonation and delegation. Using default website which hosts ASP,
ASP.NET 1.1 and SQLXML Web Release 1 Virtual Directory. There is
another website (same configuration) set up but it is stopped (it uses
host headers and same application pool).
Application pool is using Network Service.
SQL Server 2000 is running under dbservernetbios_system account
The annoying thing is that it was working a couple of days ago and then
I started messing with the SPNs and AD settings and now it's bust
again. Just goes to show that I don't fully understand it yet, which I
must do before going live!!
The basics are all done (Impersonate=true, Authentication = Windows, no
anonymous, IWA only). Client settings are all correct.
SPNs are:
C:\>setspn -l s05010016 (this is the db server)
Registered ServicePrincipalNames for
CN=S05010016,CN=Computers,DC=corp,DC=dns
dom
,DC=net:
SMTPSVC/S05010016
SMTPSVC/s05010016.corp.dnsdom.net
LiveState Recovery Agent 3.0/s05010016.corp.dnsdom.net
HOST/S05010016
HOST/s05010016.corp.dnsdom.net
C:\>setspn -l s05010016_system (this is the account SQL Server is
running under)
Registered ServicePrincipalNames for
CN=S05010016_system,OU=Users\\Groups,OU=
Ser
viceAdmins,DC=corp,DC=dnsdom,DC=net:
MSSQLSvc/S05010016:1433
MSSQLSvc/S05010016.corp.dnsdom.net:1433
C:\>setspn -l s05010097 (this is the web server)
Registered ServicePrincipalNames for
CN=S05010097,CN=Computers,DC=corp,DC=dns
dom
,DC=net:
HOST/S05010097
HOST/s05010097.corp.dnsdom.net
My account is delegatable. No delegation is set up on the db server or
SQL account. Constrained delegation (any protocol) is set up on web
server for service s05010016_system only.
The thing is that a basic ASP page is working, but ASP.NET is not
working (NTAUTHORITY yadda yadda). What is the most likely explanation
for this?
Cheers,
James
| |
| JimLad 2006-11-17, 7:29 am |
| I take that back. ASP isn't working either.
James
JimLad wrote:
> Hi,
>
> I'm working on Server 2003 servers with XP client. I'm trying to set up
> a fairly typical scenario of client - webserver - db server with
> Impersonation and delegation. Using default website which hosts ASP,
> ASP.NET 1.1 and SQLXML Web Release 1 Virtual Directory. There is
> another website (same configuration) set up but it is stopped (it uses
> host headers and same application pool).
>
> Application pool is using Network Service.
> SQL Server 2000 is running under dbservernetbios_system account
>
> The annoying thing is that it was working a couple of days ago and then
> I started messing with the SPNs and AD settings and now it's bust
> again. Just goes to show that I don't fully understand it yet, which I
> must do before going live!!
>
> The basics are all done (Impersonate=true, Authentication = Windows, no
> anonymous, IWA only). Client settings are all correct.
>
> SPNs are:
> C:\>setspn -l s05010016 (this is the db server)
> Registered ServicePrincipalNames for
> CN=S05010016,CN=Computers,DC=corp,DC=dns
dom
> ,DC=net:
> SMTPSVC/S05010016
> SMTPSVC/s05010016.corp.dnsdom.net
> LiveState Recovery Agent 3.0/s05010016.corp.dnsdom.net
> HOST/S05010016
> HOST/s05010016.corp.dnsdom.net
>
> C:\>setspn -l s05010016_system (this is the account SQL Server is
> running under)
> Registered ServicePrincipalNames for
> CN=S05010016_system,OU=Users\\Groups,OU=
Ser
> viceAdmins,DC=corp,DC=dnsdom,DC=net:
> MSSQLSvc/S05010016:1433
> MSSQLSvc/S05010016.corp.dnsdom.net:1433
>
> C:\>setspn -l s05010097 (this is the web server)
> Registered ServicePrincipalNames for
> CN=S05010097,CN=Computers,DC=corp,DC=dns
dom
> ,DC=net:
> HOST/S05010097
> HOST/s05010097.corp.dnsdom.net
>
> My account is delegatable. No delegation is set up on the db server or
> SQL account. Constrained delegation (any protocol) is set up on web
> server for service s05010016_system only.
>
> The thing is that a basic ASP page is working, but ASP.NET is not
> working (NTAUTHORITY yadda yadda). What is the most likely explanation
> for this?
>
> Cheers,
>
> James
| |
| JimLad 2006-11-17, 1:22 pm |
| Hi,
I've narrowed this down a lot to constrained delegation. Please see my
later post 'Constrained Delegation Problem: SQL partially delegated'.
Cheers,
James
JimLad wrote:
[vbcol=seagreen]
> I take that back. ASP isn't working either.
>
> James
>
> JimLad wrote:
>
|
|
|
|
|