IIS 7, SQL, and Kerberos

  • Hey gang,

    We're trying very hard to connect an internal webapp to an SQL Server 2008 R2.

    I really want to know which authenticated user is connecting to SQL Server.

    The IIS and SQL servers are on the same physical box.

    I believe we are in the classic "double-hop" scenario.

    The best info I've found so far is at:

    http://www.adshotgyan.com/2011/01/kerberos-double-hop-troubleshooting_4351.html

    We've worked through everything in that post, except we're using a single AD account, rather than the 2 in that example. It does not appear to be implied that 2 accounts must be used.

    Questions:

    When the Application Pool Defaults are set to use the AD domain account we've set up to connect, the connection is made to SQL Server via TCP, but it always uses NTLM, not Kerberos. If I remove NTLM as a provider in IIS - Authentication, I get a 401 - invalid credentials.

    Can anyone point me to where to look next?

    Thanks!

  • Progress!

    Authentication Type: Negotiate

    Protocol: Kerberos

    Authenticated identity: Domain\Me

    Thread identity: Domain\Me

    Windows identity: Domain\SQL-Service

    Environment identity: SQL-Service

    We're now using Kerberos at least as far as the IIS Server!

    So now we just need to get to the SQL Server...

Viewing 2 posts - 1 through 1 (of 1 total)

You must be logged in to reply to this topic. Login to reply