iis security: Constrained Delegation Problem: SQL partially delegated -- iis security

Constrained Delegation Problem: SQL partially delegated

JimLad
11/17/2006 7:03:03 AM

iis security: Hi,

I have set up delegation and IT WORKS to link through to a back end SQL
server.

However for security reasons I want to limit the services that can be
delegated to to MSSQLSvc on the db server. An SPN has been set up for
the SQL server account on port 1433.

When I swap to constrained delegation a simple asp page with ADO still
works, but my main app doesn't. The technologies used are ASP.NET 1.1
(ADO.NET), ASP (ADO), and SQLXML virtual directory.

I assume that either I need to enable another port or add another
service. Can someone enlighten me?

Cheers,

James

Re: Constrained Delegation Problem: SQL partially delegated

JimLad
11/17/2006 9:05:13 AM

Apologies! Turns out my ASP code was pointing at one db server and
asp.net was pointing at a different db server. Sorry!!

James

[quoted text, click to view]

Re: Constrained Delegation Problem: SQL partially delegated

Ken Schaefer
11/21/2006 1:48:35 AM

Glad you got it working. Kerberos service tickets are based on the SPN (as
you have discovered). the SPN contains a name (NetBIOS, FQDN etc) only. It
does not differentiate between server technologies (e.g. ASP and ASP.NET
pages) for example. If your ASP page is working fine, but your ASP.NET one
isn't, then something else is the matter.

Cheers
Ken

--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken

[quoted text, click to view]

Got something to say? Click here to post a reply to this thread.

Don't see what you're looking for? Try a search.

View other messages in the iis security group.