Delegation windows authentication

Note the first SPN command in each set registers the SPN by referencing just the machine name, and the second one identifies the fully qualified domain name of the server. To verify the SPNs are registered correctly for a service account you can run the following command:.

The next step in setting up delegation is to make sure the SQL Server service accounts are set up so they can perform delegation. Note the delegation tab will not be displayed for an account until the SETSPN command for that account has been established. There are two different options you can pick when setting the delegation options for an account, constrained and un-constrained. I decided to use constrained delegation for my set up, since that minimizes the number of services that can perform delegation.

You also need to verify that the computer account within Active directory is also set up to support delegation. To do this edit the computer properties in Active directory to look like this:. Lastly, you need to verify that the local security policies on the middle tier server are set up to allow delegation. Once you have set up your accounts and machines you need to verify that delegation works using linked servers.

To do this, log on to a client machine using a windows account. Make sure the account you use has a login established on your middle tier and backend SQL Server machines. Once logged on to your client machine, connect to your middle tier SQL Server machine.

When I am connected, I then open a new query window and verify that I have connected to the middle tier server via Kerberos.

To do this I issue the following command:. Once I have successfully verified that I am connected to the middle tier server using Kerberos, then the final test I do is to submit a linked server request to my backend server. So for me to verify my delegation is set up I would issue the following command:. If delegation is not set up, an authentication error will be displayed.

In fact, I had a number of failed attempts before I successfully set up my first set of SQL Server machines for delegation. To help me troubleshoot my delegation setup, I used the following document:.

This document walks through a number of different situations and provides steps for verifying that your delegation setup is correct. Being able to use windows authentication for linked servers provides a more secure architecture then defining login mappings.

Search related threads. Remove From My Forums. Asked by:. Archived Forums. Operations Manager - Deployment. Sign in to vote. Thank you for your help. Wednesday, July 22, AM. Hi, The credential prompt screen you are facing is by design and cannot be removed as far as I know.

Hello, i have tried to launch my navigator as administrator, but the same issue has been encountered. Can you please help me on this topic? Monday, July 27, PM. Another popular Kerberos issue recently has been the need to allow for multiple application pools to use the same DNS name. Unfortunately, when you use Kerberos to delegate credentials, you cannot bind the same Service Principal Name SPN to different application pools.

You cannot do this because of the design of Kerberos. The Kerberos protocol requires multiple shared secrets for the protocol to work correctly. By using the same SPN for different application pools, we eliminate one of these shared secrets. The Active Directory directory service will not support this configuration of the Kerberos protocol because of the security issue.

Configuring the SPNs in this manner causes Kerberos authentication to fail. A possible workaround for this issue would be to use protocol transitioning. Kerberos would handle the authentication between IIS and the backend resource server. The client browser may experience issues, such as receiving repeated logon prompts for credentials or " Access Denied" error messages from the server running IIS. We have found the following two issues that may help resolve these issues:.

Verify that Enable Integrated Windows Authentication is selected in the browser's properties. For more information, click the following article number to view the article in the Microsoft Knowledge Base:.

After you upgrade from IIS 4. For more information about how to fix this issue, click the following article number to view the article in the Microsoft Knowledge Base:.

If you are accessing the Web server by using a name other than the actual name of the server, a new Service Principal Name SPN must have been registered by using the Setspn tool from the Windows Server Resource Kit. Because the Active Directory directory service does not know this service name, the ticket-granting service TGS does not give you a ticket to authenticate the user. This behavior forces the client to use the next available authentication method, which is NTLM, to renegotiate.

If the Web server is responding to a DNS name of www. To do this, you must download the Setspn tool and install it on the server that is running IIS. If you cannot connect to the server, see the "Verify the computer is trusted for delegation" section.

If you can connect to the server, follow these steps to set an SPN for the DNS name that you are using to connect to the server:. Run the following command to add this new SPN www. Setspn -L webservername Note that you do not have to register all services. This mapping applies only if the Web service is running under the local System account.

If this server running IIS is a member of the domain but is not a domain controller, the computer must be trusted for delegation for Kerberos to work correctly. To do this, follow these steps:.