01-24-06 12:51 PM
Also use can use Kerbtray tool to verify what Kerberos tickets the user has
(that'll help tell you whether Kerberos is being used to auth to the IIS
box).
Once we have Kerberos verified as working between client <-> IIS we can look
at IIS <-> SQL Server
Cheers
Ken
"Ken Schaefer" <kenREMOVE@THISadOpenStatic.com> wrote in message
news:OpY3rjNIGHA.984@tk2msftngp13.phx.gbl...
: Hi,
:
: I would start by looking in the Security Event logs on the servers. Verify
: that the authentication package being used isn't NTLM for the logons that
: don't work.
:
: Cheers
: Ken
:
:
: "Tyler S" <TylerS@newsgroups.nospam> wrote in message
: news:uOjkOHsHGHA.3024@TK2MSFTNGP10.phx.gbl...
::I am experiencing a very odd and frustrating kerberos delegation problem
(I
:: think) that I hope someone can help me figure out. I want to make my web
:: server use the credentials of the user accessing the website to access my
:: SQL Server using integrated authentication. The problem I have is that
:: sometimes the delegation works and sometimes it doesn't.
::
:: My test environment is as follows:
:: - Client: Windows XP SP2 running IE v6.0 (negotiating a Kerberos session
:: w/IIS server)
:: - WebServer: Windows 2003 SP1 Server running IIS v6.0
:: - SQL Server: Windows 2003 SP1 Server running SQLServer 2005 Beta, SPN
for
:: this service and its port is configured
:: - Domain: Windows Server 2003 functional level, WebServer is configured
as
:: "Trust this computer for delegation to any service (Kerberos Only)", SQL
:: Server domain account is configured as "Trust this user for delegation to
:: any service (Kerberos Only)"
::
:: I have put the sample ASP page onto my web server as its default page
:: (http://support.microsoft.com/kb/319723/en-us).
::
:: If I use IE to attempt to retrieve the page, it will prompt me for my
:: password (I have configured IE to always ask) and then bring up the page.
:: The auth_user is the user I specified and the auth_type is 'Negotiate',
: but
:: I still get the following error in the page contents:
::
:: Microsoft OLE DB Provider for SQL Server error '80004005'
:: Login failed for user ''. The user is not associated with a trusted SQL
:: Server connection
::
:: If I use wfetch v1.3 to pull up the same page (authentication selected is
:: 'Negotiate' and same domain/user name/password is supplied), the wfetch
:: results will retrieve the page successfully. If I then try IE again
right
:: away, it also will now work! (huh???) If I wait a few minutes and try IE
:: again, it will fail with the same error as before.
::
:: I have reviewed the IIS logs and cannot see anything really amiss in
them.
:: For the IE that fails, the logs look as follows:
:: 2006-01-21 19:29:19 W3SVC1 10.0.0.12 GET / - 80 - 172.16.255.199
::
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322)
:: 401 2 2148074254
:: 2006-01-21 19:29:30 W3SVC1 10.0.0.12 GET /Default.asp
::
:
|20|80004005|Login_failed_for_user_''._The_user_is_not_associated_with_a_tru
sted_SQL_Server_connection.
:: 80 <DOMAIN>\<USERNAME> 172.16.255.199
::
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322)
:: 500 0 0
::
:: For the wfetch that works, the logs look as follows:
:: 2006-01-21 19:31:49 W3SVC1 10.0.0.12 GET /Default.asp - 80
:: <DOMAIN>\<USERNAME> 172.16.255.199 - 200 0 0
::
:: After the wfetch that works, the logs look as follows for IE working:
:: 2006-01-21 19:33:50 W3SVC1 10.0.0.12 GET / - 80 - 172.16.255.199
::
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322)
:: 401 2 2148074254
:: 2006-01-21 19:33:50 W3SVC1 10.0.0.12 GET /Default.asp - 80
:: <DOMAIN>\<USERNAME> 172.16.255.199
::
Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+SV1;+.NET+CLR+1.1.4322)
:: 200 0 0
::
:: I have tried to work through a number of the Microsoft kerberos/IIS
:: troubleshooting guides, but none seem to cover this specific problem I'm
:: having. Can someone please help me understand what is going on and what
I
:: should do to fix this problem?
::
:: Thanks, Tyler
::
::
:
:
[ Post a follow-up to this message ]
| 
