Kerberos: connection from win app running from IIS to SQL failed

Posted by Mikhail Kislitsyn on Server Fault See other posts from Server Fault or by Mikhail Kislitsyn
Published on 2012-11-22T15:59:42Z Indexed on 2012/11/22 17:00 UTC
Read the original article Hit count: 136

Filed under:
|
|
|
|

I have an IIS web-application with Windows authentication and impersonation. This application connects to SQL server. In this case Kerberos works fine.

But there is a problem. Web-application runs windows application (not .NET), which also connects to the SQL server. Windows application runs with IIS app user credentials and impersonates current site user to connect to SQL server.

scheme: http://i.stack.imgur.com/2cgv7.png

When delegation for IIS user is set to "Trust this computer for delegation to any service" everything works fine. But I can't use this type of delegation according to security requirements.

When I set delegation to "Specific services" and choose MSSQLSvc SPN, connection from windows application fails with "ANONIMOUS" fault. WireShark shows "KRB5KDC_ERR_BADOPTION" packet.

What I'm doing wrong?

© Server Fault or respective owner

Related posts about iis

Related posts about iis7.5