Kerberos Double Hop - sql-server

We have the infamous Kerberos double hop issue.
This is a brand new domain, being migrated from another provider where impersonation and delegation was previously working. We have upgraded OS's and to the latest SQL server (2017).
WPF app (using domain creds) -> Web Service (WCF app on IIS 10) -> SQL 2017 (named instance)
The web service is running under a domain account. The web service has an spn registered, Anonymous Auth is disabled as is forms auth, ASP.NET Impersonation and Windows Auth is enabled. Providers are "Negotiate and NTLM," "Kernal Mode" is disabled, "Use App Pool credentials" is enabled. SPN created:
HTTP/<url of web service> <AppPool Creds>
We are able to login to the web service via a browser on a remote computer, enter domain credentials and have the expected response (web page displayed). IIS Log shows domain user creds as expected.
The SQL server is a named instance, running under domain creds. SPNs created:
MSSQLSvc/<fqdn>:<Instance> <SQL Domain Creds>
MSSQLSvc/<sql server netbios>:<Instance> <SQL Domain Creds>
MSSQLSvc/<fqdn>:<port> <SQL Domain Creds>
MSSQLSvc/<sql server netbios>:<port> <SQL Domain Creds>
The IIS App Pool user account in AD is setup for constrained delegation to the SQL server for both the port and the named instance.
When logging in through software to web service (WPF calling WCF Service with no database call), a normal response is seen.
When logging in through software to web service with a database call, sql profiler shows Anonymous Logon. With Kerberos Logging enabled on IIS box, the following error is received:
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc0000225 KLIN(0)
Server Name: MSSQLSvc/<sql server fqdn>:49942
Target Name: MSSQLSvc/<sql server fqdn>:49942#<domain.com>
We also tried unconstrained delegation, but received same result.
SETSPN -X shows no duplicates.
Thank you in advance for your help!

When all else fails, and you've literally spent days and days working on the problem and reading every article on the Internet:
REBOOT
Yup. That was the fix. Rebooting the IIS server which was the server delegating the permissions, fixed the issue.
For those looking to quickly and easily setup constrained delegation between IIS and an instance of SQL, both running under custom domain creds, set your settings exactly as above and reboot.
Best wishes.

Related

Django IIS and SQL with NT Authentication

Good morning. I have several Django apps running in my work environment. All are running through Gunicorn on Ubuntu. I have a new app that must run on Windows for ODBC reasons. This new app is running in development mode on a Windows 10 PC. I run the dev server while logged in as a service account, it uses a trusted connection (local credentials as I understand) to query a SQL server and works perfectly. I ported this app (virtualenv and all) to a Windows Server 2012 r2 instance and run the dev server successfully from there using my domain admin credentials (again trusted_connection=yes).
I set up IIS on this server to run the app permanently and it appears to run. However, I get a django error page that says the SQL login failed for 'DOMAINNAME\SERVERNAME'.
I have tried editing my Application Pool to use the credentials of the working service account (Advanced Settings > Process Model > Identity). With this configuration I no longer see a Django error page, just Service Unavailable HTTP Error 503. I have tried 'recycling' and restarting the IIS service after the change but that has not worked.
Unfortunately, I do not have admin access to the SQL server to create or edit accounts. Is it possible to configure IIS to connect to SQL, through the app, using the service account credentials that I know work. If I were to configure the Application Pool successfully in this way should I still have the trusted connection setting in my connection string? Thanks!

Login failed for user '{domain}\{user}' SqlClient.SqlException in MVC

When I deploy my app to a server, I'm getting the Login failed message. My DB and app are located on two separate physical machines. However this has not posed a problem when developing and testing locally and connecting out to the DB server; only after publishing.
Steps I've taken To attempt to resolve
In my Web.Config I've set Integrated security to false. When integrated security was true, it was giving the same error but with the machine name in place of the user name.
I placed valid credentials in the User ID: and Password: fields of the Web.Config. The credentials placed in Web.Config are also used to log into Sql Server Management Studio directly.
Within SSMS I've also verified those credentials will work under Windows Authentication and SQL Server Authentication.
Those credentials I've set in the app work when I log into the SSMS using Windows Authentication. Advice on how to resolve this would be greatly appreciated. Thanks!
By default, IIS runs your application under a local machine account. This account does not have any permissions to access your SQL Server. In order to achieve integrated security, you need grant it access. There are a few ways to do it, the thread Add IIS 7 AppPool Identities as SQL Server Logons will get you started.
Another way, which is preferred over adding the IIS account, is to create a service account in Active Directory and setting the App Pool Identity in IIS to the service account. Depending on your environment, you should work with your network admin and or DBA to set this up.
Your last option would be to simply use SQL Authentication.

Double Hop with ASP.Net website and NHibernate

Background:
ASP.Net MVC website. Hosted on IIS7, intranet.
Database: SQL Server. Accessed via NHibernate.
In the connection string, access is set to Integrated Security: SSPI.
(Permissions to DB are Active-Directory-based.)
In short, this is a typical double-hop situation,
where I need to pass client's credentials to IIS, and from IIS to SQL Server.
The Problem:
The problem is a yellow screen of death, with the error:
Login failed for user 'MyDomain\UserThatRunsAppPool'.
Things I tried doing to fix The Problem:
Configuring authentication to enable only Windows Authentication
and ASP.NET Impersonation
Setting Windows Authentication Provider to Negotiate:Kerberos
(After disabling Kernel-mode authentication)
Making sure that UserThatRunsAppPool's delegation is set to:
'Trust the user for delegation to any service (Kerberos only)' in Active Directory
Moving the NHibernate SessionFactory creation from Application_BeginRequest()
to Session_Start()
How successful I've been with my attempts to fix The Problem:
Not at all.
EDIT:
I also tried setting IIS server's delegation to 'Trust the user for delegation to any service (Kerberos only)' (in Active Directory).
In short, this is a typical double-hop situation,
where I need to pass client's credentials to IIS, and from IIS to SQL Server.
You've hit upon the "delegation" problem. If you want to remain sane, change your connection string to use a SQL username + password instead of SSPI.
If you feel like two weeks of frustrated debugging and quarreling with your domain admins, read Fun with the Kerberos Delegation Web Site.

Analysis Services database works with ASP.NET Development Server but NOT IIS

I have an ASP.NET application which needs to connect to Analysis Services database.
All components are on the same machine:
Web application
IIS
Visual Studio 2008
SQL Server 2008
My domain account (DOMAINNAME\MyWindowsUsername) is an administrator on the SQL Server and also in "Administrators" group on the local machine.
Web application uses Windows Authentication and identity impersonate="true".
My IIS Windows Authentication settings (I have also tried other combinations but no success...):
Extended Protection: Off
Enable Kernel-mode authentication: true
Enables Providers: NTLM
When I use web application on ASP.NET Development Server (deployed from Visual Studio) then everything works ok. My domain account and corresponding database roles are recognized correctly, and security is working as defined in database roles.
But, when I deploy the same web application (without any changes in code) to IIS I get error (in browser):
An error was encountered in the transport layer.
The peer prematurely closed the connection.
In SQL Profiler (for IIS case when connection fails) I get only these two events:
Audit Login MyWindowsUsername DOMAINNAME
Audit Logout MyWindowsUsername DOMAINNAME
It seems Analysis Services recognizes the impersonated account, but still the connection breaks.
I have noticed that ASP.NET Development Server runs under DOMAINNAME\MyWindowsUsername while IIS under LocalSystem (the default setting). I tried to play with the accounts, adding various system/network account as Analyis Services administrators (just to understand the logic behind this), but also with no success (always the same error).
You must use delegation to pass on the user credential from the web browser to SSAS,
http://msdn.microsoft.com/en-us/library/ff647404.aspx
ASP.NET Development Server simply runs under your log on account, which prevents you from noticing this issue earlier.

Error Accessing SQL Server from an ASMX Web Service

I am accessing my server through remote desktop connection and have configured a webservice in IIS. I am able to see the methods but when I click on the button to "Invoke" I get the following error:
System.Data.SqlClient.SqlException: Login failed for user 'SOLDev\Server02$'.
at ShareWare.Web.Service.WebAPI.Reservation.GetInfo()
Why is it taking the machine name as the user?
My windows authentication user is User1Dev.
Also my directory security in IIS is setup as follows:
Option "Enable anonymous access" -- it's disabled
Option "Integrated Windows Authentication" -- checked off
I am using .NET framework 2.0
Your web service connects to the SQL using Windows authentication as the principal running the service. In this case it appears to be BUILTIN\System or BUILTIN\Network Service, both of which authenticate in the domain as the machine account, ie. 'SOLDEV\Server02$' which corresponds to a machine named Server02 in the domain SOLDEV.
If you wish to authenticate on the SQL Server with your own login, then the IIS must flow the authentication information, in a process called Constrained Delegation. See Configuring Constrained Delegation for Kerberos (IIS 6.0). or How To: Use Protocol Transition and Constrained Delegation in ASP.NET 2.0.
If you want the web service to authenticate to SQL Server as itself, then you must grant login permission to the web service principal on SQL: CREATE LOGIN [SOLDEV\Server02$] FROM WINDOWS.
It's because the web service is running as the Network Service id, not as the logged in user. You probably also need to have <identity impersonate="true" /> in your web config if you are planning to use the user's credentials to connect to SQL Server.

Resources