Delegation Failure

Discussion in 'Windows Small Business Server' started by Paul L, Jan 28, 2004.

  1. Paul L

    Paul L Guest

    I have a domain with SBS2003 server running IIS on one machine and Windows
    Server 2003 running SQL 2000 on another. IIS uses integrated authentication
    only, and delegation between IIS and SQL was working as advertised (all the
    right checkboxes in Active Dir we set correctly, SQL used the authenticated
    client, etc).

    We recently added the server with SQL as a Domain Controller so it could be
    used as a backup. Once it came on line, delegation stopped working, and IIS
    attempts to log in to SQL as the 'NT AUTHORITY\ANONYMOUS LOGON' user, which,
    of course, fails.

    I am going to remove the DC off of the SQL server, but I though someone
    might know why having the second DC on the SQL server kills delegation.

    Thanks,
    Paul
     
    Paul L, Jan 28, 2004
    #1
    1. Advertisements

  2. What service account is SQL using? NetworkService or LocalSystem? Note that
    when it was living on a member server, those accounts were mapped to the
    computer account, and this account was used when SQL was accessing network
    resources. Now, when SQL lives on the DC, so called "loopback
    authentication" is taking place, and SQL comes to DC authenticated as
    NetworkServer or LocalSystem, respectively.

    Generally speaking, running two important services on one machine is unsafe.
    If one is compromised, the other one will fall too. We do not recommend
    running anything on a DC.

    --
    Dmitri Gavrilov
    SDE, Active Directory Core

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    http://www.microsoft.com/info/cpyright.htm
     
    Dmitri Gavrilov [MSFT], Jan 28, 2004
    #2
    1. Advertisements

  3. Let's be careful here ;-).

    This is kind of an SBS question, it was wrongly cross posted to a whole
    bunch of newsgroups and the discussion might not necessarily accurately
    reflect an SBS scenario. Such as the following:
     
    Les Connor [SBS MVP], Jan 28, 2004
    #3
  4. Paul L

    Paul L Guest

    Les,

    It was "wrongly" posted to the 3 (whole bunch?) newsgroups for the systems
    involved. I have a problem that could be in any of the 3 places, SBS, SQL
    or AD.

    Furthermore, I have no idea what you are trying to say in your reply.

    -Paul


     
    Paul L, Jan 29, 2004
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.