on Server Fault
See other posts from Server Fault
or by Mikhail Kislitsyn
Published on 2012-11-22T15:59:42Z Indexed on 2012/11/22 17:00 UTC
Read the original article Hit count: 136
I have an IIS web-application with Windows authentication and impersonation. This application connects to SQL server. In this case Kerberos works fine.
But there is a problem. Web-application runs windows application (not .NET), which also connects to the SQL server. Windows application runs with IIS app user credentials and impersonates current site user to connect to SQL server.
When delegation for IIS user is set to "Trust this computer for delegation to any service" everything works fine. But I can't use this type of delegation according to security requirements.
When I set delegation to "Specific services" and choose MSSQLSvc SPN, connection from windows application fails with "ANONIMOUS" fault. WireShark shows "KRB5KDC_ERR_BADOPTION" packet.
What I'm doing wrong?
© Server Fault or respective owner