May 11, 2010 at 11:01 am
Hello All:-)
As the title of this post might suggest I need some advice or to be pointed in the right direction. I have a windows IIS server located in a DMZ in it's own workgroup. I've an 2008 SQL server located in a domain that the IIS server needs to access. The SQL server has been setup using windows authentication and needs to stay like that.
A .net application is running on the IIS server and is trying to access the SQL Server. In order to do this
1 Ccreated an sql service account on the domain and have assigned it logon privileges to the sql server. It can access the sql server fine from within the domain.
2 Created an sql application account on the domain and to run the iis application pool.
3 Created the service principal names... on the sql server
setspn -A http/test.iis.local sqlappacc
**Actually I'm not sure what is required after the http/ most information I found seems to suggest the **fqdn of the website. but I wonder if this important.. and would just the machine name do?
setspn -A MSSQLSvc/sql1.leon.local:1433 sqladminacc
4 I then set the delegation for the sqlappacc in active directory, selected Trust this user for
delegation to specified services only and the added the sqladminacc that I created the spn against
and also selected "use any authentication protoocol"
5 added the following two lines to the webconfig.txt
<identity impersonate="true" />
<authentication mode="Windows" />
6 created an username on the IIS server of sqlappacc and then created an application pool and set it to run under this account. I then also set the .net app to use this application pool.
When I try to run the .net app I get the following error from the iis server....
[SqlException (0x80131904): Login failed. The login is from an untrusted domain and cannot be used with Windows authentication.]
On the sql side I get the following event log error messages..
Log Name: Application
Source: MSSQLSERVER
Date: 11/05/2010 13:24:55
Event ID: 18452
Task Category: Logon
Level: Information
Keywords: Classic,Audit Failure
User: N/A
Computer: sql1.leon.local
Description:
Login failed. The login is from an untrusted domain and cannot be used with Windows authentication. [CLIENT: 192.168.130.10]
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="MSSQLSERVER" />
<EventID Qualifiers="49152">18452</EventID>
<Level>0</Level>
<Task>4</Task>
<Keywords>0x90000000000000</Keywords>
<TimeCreated SystemTime="2010-05-11T12:24:55.000Z" />
<EventRecordID>2448</EventRecordID>
<Channel>Application</Channel>
<Computer>sql1.leon.local</Computer>
<Security />
</System>
<EventData>
<Data> [CLIENT: 192.168.130.10]</Data>
<Binary>144800000E00000005000000530051004C0031000000070000006D00610073007400650072000000</Binary>
</EventData>
</Event>
Log Name: Application
Source: MSSQLSERVER
Date: 11/05/2010 13:24:55
Event ID: 17806
Task Category: Logon
Level: Error
Keywords: Classic
User: N/A
Computer: sql1.leon.local
Description:
SSPI handshake failed with error code 0x8009030c while establishing a connection with integrated security; the connection has been closed. [CLIENT: 192.168.130.10]
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="MSSQLSERVER" />
<EventID Qualifiers="49152">17806</EventID>
<Level>2</Level>
<Task>4</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2010-05-11T12:24:55.000Z" />
<EventRecordID>2447</EventRecordID>
<Channel>Application</Channel>
<Computer>sql1.leon.local</Computer>
<Security />
</System>
<EventData>
<Data>8009030c</Data>
<Data> [CLIENT: 192.168.130.10]</Data>
<Binary>8E4500001400000005000000530051004C003100000000000000</Binary>
</EventData>
</Event>
I'm been trying this for some time and haven't made much progress with it.. Do I need to do anything else? I checked to see did I have multiple SPN's and I don't... I'd be grateful for any help on this one.. before I go mad.
Thanks:w00t:
P.S. If this is posted int he wrong place please feel free to move it...
Viewing post 1 (of 1 total)
You must be logged in to reply to this topic. Login to reply
This website stores cookies on your computer.
These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media.
To find out more about the cookies we use, see our Privacy Policy