Context
I am trying to configure Kerberos in the domain for double-hop authentication. So here are the machines and their respective roles:
client01: Windows 7 as client
dc01: Windows Server 2008 R2 as domain controller and dns
server01: Windows Server 2008 R2 as reporting server (native mode)
server02: Windows Server 2008 R2 as SQL Server database engine
I want my client01 to connect to server01 and configure a data source that is located on server02 using Intergrated Security. So as NTLM cannot push credentials that far, I need to setup Kerberos to enable double-hop authentication. The reporting service is runned by the Network Service service account and is configured only with the RSWindowsNegotiate options for authentication.
Issue
I cannot get to pass my client01 credential to server02 when configuring the data source on server01. Therefore I get the error:
Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
So I went on dc01 and delegated full trust for any service to server01 but it not fixed the problem. I want to notice that I did not configured any SPNs for server01 because Reporting Service is runned by Network Service and from what I read on the Internet, when Reporting Services is going up with Network Service, SPNs are automatically registered. My problem is that even if that I want to configure SPNs manually, I do not know where I have to set them up. On dc01 or on server01?
So I went a bit further on the issue and tried to trace this problem. From my understanding of Kerberos, this is what should happen on the network when I try to connect the data source:
client01 ---- AS_REQ ---> dc01
<--- AS_REP ----
client01 ---- TGS_REQ ---> dc01
<--- TGS_REP ----
client01 ---- AP_REQ ---> server01
<--- AP_REP ----
server01 ---- TGS_REQ ---> dc01
<--- TGS_REP ----
server01 ---- AP_REQ ---> server02
<--- AP_REP ----
So captured my local network with Wireshark, but whenever I try to configure my data source from client01 on server01 to pass my credentials to server02, my client never sends a AS_REQ or TGS_REQ to the KDC on dc01.
Questions
So does anyone can tell me if I should configure the SPNs and on which machine does it have to be configured?
Also why client01 never request for a TGT or a TGS to my KDC. Do you think there is something going wrong with the DC role of dc01?
