设置SPN以从IIS7以原始用户身份访问SQL Server 2008

Question

I'm totally confused by SPN's and exactly what I need to do. Basically I have a webserver running on a domain EUR and I want to access different MSSQL servers using windows authentication and impersonation as the user viewing the webpage.

I have setup the webserver to use windows authentication and impersonation and it works fine with the local MSSQL instance on the webserver but not on any others on the EUR domain. I get an error saying: Logon failed for NT AUTHORITY\\ANONYMOUS user.

IIS and MSSQL services are currently running under the system account on all of the servers but I do have a functional ID "EUR\\ldntech1" that I can use if necessary.

I understand that this is the double hop issue and I need to use SPN's which before today I'd never heard of and I am very confused by the syntax of how to add them and if I need one only for the webservice or if I need to add one for every MSSQL server I wish to connect to.

My website is hosted on the alias fiportal.domain.net and actual server name is ldn55spr.domain.net

Any help would be really greatly appreciated.

Thanks

Answer 1

What you are trying to do is called Constrained Delegation. That should help you in your google searches.

You need to understand that the technology that's underlying all of this credential delegation is Kerberos. Service Principal Names (SPN) are a Kerberos thing.

This blog post should help you setup your environment.

This tool will help you ensure that your environment is correctly configured for Constrained Delegation.

edit: although somewhat dated, this should give you some background - though you did say that you understand the double-hop problem