none
Kerberos delegation on a clustered server

    Question

  • Here's my setup.

    A web server running ASP.NET web applications. A SQL Clustered server, with 2 physical nodes.

    Both of these are on the same domain.

    The web server has been enabled for kerberos delegation in AD. The cluster virtual server has been enabled for kerberos delegation in AD.

    However, when accessing a web app that uses Windows authentication, I get the "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'" error.

    When SQL was on a single server (i.e. not a cluster), the above setup worked.

    The only thing I can think of is that the account that MSSQLSERVER and the SQL Agent services are running under is a domain account.

    I have tried doing setspn -A MSSQLSERVER/[name of cluster virtual server] [DOMAIN\Name of SQL service account] and then enabling the domain account for delegation, but no joy.

    Can anyone who has set up a similar situation help?

    Thanks in advance.


    Thursday, March 21, 2013 2:41 PM

Answers

  • Make sure you have registered correct SPN for Web server.

    The SPN should be registered under the user account who is specified for this application pool. If IIS 7.0 is running on your web server, disable "Enable Kernel Mode Authentication" for a try.

    1. Open IIS manager console on your web server, expand sites and select the website you are accessing, double-click Authentication and select Windows Authentication.

    2. Uncheck "Enable Kernel Mode Authentication", click OK, then execute IISRESET and press Enter.

    Regards,

    Diana


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Friday, March 29, 2013 3:21 AM

All replies

  • We had something similar a little while ago and found that the SQL Service Account was failing to enumerate the domain users access. 

    Following a number of calls we found we needed to change the permissions on the SQL Service Account in the domain by assigning the “Authenticated User” “Read All Properties” to Allow in the Security – Advanced Security. 

    Hope this helps

    Thanks

    Thursday, March 21, 2013 3:18 PM
  • Hi.

    Thanks. Is this setting in Active Directory? I can't seem to find it.

    Thursday, March 21, 2013 3:36 PM
  • Ignore previous post - found it.

    It doesn't seem to have fixed it though. I'll try restarting the cluster later to see if that helps.

    Thursday, March 21, 2013 3:46 PM
  • Hi,

    Just checking to see how is the troubleshooting going. Please feel free to let us know if you would like further assistance.

    Regards

    Kevin

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

      
    Monday, March 25, 2013 5:36 AM
  • Hi

    Still no luck. 

    The web server has been granted delegation
    The Cluster has been granted delegation
    The service account that SQL runs under has been granted delegation

    I don't know what to try next.

    Monday, March 25, 2013 9:48 AM
  • Hi,

    Thank you for clarifying the issue for us.

    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.

    Thank you for your understanding and support.

    Regards

    Kevin

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

     
    Thursday, March 28, 2013 2:43 AM
  • Make sure you have registered correct SPN for Web server.

    The SPN should be registered under the user account who is specified for this application pool. If IIS 7.0 is running on your web server, disable "Enable Kernel Mode Authentication" for a try.

    1. Open IIS manager console on your web server, expand sites and select the website you are accessing, double-click Authentication and select Windows Authentication.

    2. Uncheck "Enable Kernel Mode Authentication", click OK, then execute IISRESET and press Enter.

    Regards,

    Diana


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Friday, March 29, 2013 3:21 AM