Impersonation and Delegation with ASP ASP.NET 1.1 IIS6 SQLXML

Hi,

I'm working on Server 2003 servers with XP client. I'm trying to set up
a fairly typical scenario of client - webserver - db server with
Impersonation and delegation. Using default website which hosts ASP,
ASP.NET 1.1 and SQLXML Web Release 1 Virtual Directory. There is
another website (same configuration) set up but it is stopped (it uses
host headers and same application pool).

Application pool is using Network Service.
SQL Server 2000 is running under dbservernetbios_system account

The annoying thing is that it was working a couple of days ago and then
I started messing with the SPNs and AD settings and now it's bust
again. Just goes to show that I don't fully understand it yet, which I
must do before going live!!

The basics are all done (Impersonate=true, Authentication = Windows, no
anonymous, IWA only). Client settings are all correct.

SPNs are:
C:\>setspn -l s05010016 (this is the db server)
Registered ServicePrincipalNames for
CN=S05010016,CN=Computers,DC=corp,DC=dnsdom
,DC=net:
SMTPSVC/S05010016
SMTPSVC/s05010016.corp.dnsdom.net
LiveState Recovery Agent 3.0/s05010016.corp.dnsdom.net
HOST/S05010016
HOST/s05010016.corp.dnsdom.net

C:\>setspn -l s05010016_system (this is the account SQL Server is
running under)
Registered ServicePrincipalNames for
CN=S05010016_system,OU=Users\\Groups,OU=Ser
viceAdmins,DC=corp,DC=dnsdom,DC=net:
MSSQLSvc/S05010016:1433
MSSQLSvc/S05010016.corp.dnsdom.net:1433

C:\>setspn -l s05010097 (this is the web server)
Registered ServicePrincipalNames for
CN=S05010097,CN=Computers,DC=corp,DC=dnsdom
,DC=net:
HOST/S05010097
HOST/s05010097.corp.dnsdom.net

My account is delegatable. No delegation is set up on the db server or
SQL account. Constrained delegation (any protocol) is set up on web
server for service s05010016_system only.

The thing is that a basic ASP page is working, but ASP.NET is not
working (NTAUTHORITY yadda yadda). What is the most likely explanation
for this?

Cheers,

James

Re: Impersonation and Delegation with ASP ASP.NET 1.1 IIS6 SQLXML

I take that back. ASP isn't working either.

James

JimLad wrote:

> Hi,
>
> I'm working on Server 2003 servers with XP client. I'm trying to set up
> a fairly typical scenario of client - webserver - db server with
> Impersonation and delegation. Using default website which hosts ASP,
> ASP.NET 1.1 and SQLXML Web Release 1 Virtual Directory. There is
> another website (same configuration) set up but it is stopped (it uses
> host headers and same application pool).
>
> Application pool is using Network Service.
> SQL Server 2000 is running under dbservernetbios_system account
>
> The annoying thing is that it was working a couple of days ago and then
> I started messing with the SPNs and AD settings and now it's bust
> again. Just goes to show that I don't fully understand it yet, which I
> must do before going live!!
>
> The basics are all done (Impersonate=true, Authentication = Windows, no
> anonymous, IWA only). Client settings are all correct.
>
> SPNs are:
> C:\>setspn -l s05010016 (this is the db server)
> Registered ServicePrincipalNames for
> CN=S05010016,CN=Computers,DC=corp,DC=dnsdom
> ,DC=net:
> SMTPSVC/S05010016
> SMTPSVC/s05010016.corp.dnsdom.net
> LiveState Recovery Agent 3.0/s05010016.corp.dnsdom.net
> HOST/S05010016
> HOST/s05010016.corp.dnsdom.net
>
> C:\>setspn -l s05010016_system (this is the account SQL Server is
> running under)
> Registered ServicePrincipalNames for
> CN=S05010016_system,OU=Users\\Groups,OU=Ser
> viceAdmins,DC=corp,DC=dnsdom,DC=net:
> MSSQLSvc/S05010016:1433
> MSSQLSvc/S05010016.corp.dnsdom.net:1433
>
> C:\>setspn -l s05010097 (this is the web server)
> Registered ServicePrincipalNames for
> CN=S05010097,CN=Computers,DC=corp,DC=dnsdom
> ,DC=net:
> HOST/S05010097
> HOST/s05010097.corp.dnsdom.net
>
> My account is delegatable. No delegation is set up on the db server or
> SQL account. Constrained delegation (any protocol) is set up on web
> server for service s05010016_system only.
>
> The thing is that a basic ASP page is working, but ASP.NET is not
> working (NTAUTHORITY yadda yadda). What is the most likely explanation
> for this?
>
> Cheers,
>
> James

Re: Impersonation and Delegation with ASP ASP.NET 1.1 IIS6 SQLXML

Hi,

I've narrowed this down a lot to constrained delegation. Please see my
later post 'Constrained Delegation Problem: SQL partially delegated'.

Cheers,

James

JimLad wrote:

> I take that back. ASP isn't working either.
>
> James
>
> JimLad wrote:
>
> > Hi,
> >
> > I'm working on Server 2003 servers with XP client. I'm trying to set up
> > a fairly typical scenario of client - webserver - db server with
> > Impersonation and delegation. Using default website which hosts ASP,
> > ASP.NET 1.1 and SQLXML Web Release 1 Virtual Directory. There is
> > another website (same configuration) set up but it is stopped (it uses
> > host headers and same application pool).
> >
> > Application pool is using Network Service.
> > SQL Server 2000 is running under dbservernetbios_system account
> >
> > The annoying thing is that it was working a couple of days ago and then
> > I started messing with the SPNs and AD settings and now it's bust
> > again. Just goes to show that I don't fully understand it yet, which I
> > must do before going live!!
> >
> > The basics are all done (Impersonate=true, Authentication = Windows, no
> > anonymous, IWA only). Client settings are all correct.
> >
> > SPNs are:
> > C:\>setspn -l s05010016 (this is the db server)
> > Registered ServicePrincipalNames for
> > CN=S05010016,CN=Computers,DC=corp,DC=dnsdom
> > ,DC=net:
> > SMTPSVC/S05010016
> > SMTPSVC/s05010016.corp.dnsdom.net
> > LiveState Recovery Agent 3.0/s05010016.corp.dnsdom.net
> > HOST/S05010016
> > HOST/s05010016.corp.dnsdom.net
> >
> > C:\>setspn -l s05010016_system (this is the account SQL Server is
> > running under)
> > Registered ServicePrincipalNames for
> > CN=S05010016_system,OU=Users\\Groups,OU=Ser
> > viceAdmins,DC=corp,DC=dnsdom,DC=net:
> > MSSQLSvc/S05010016:1433
> > MSSQLSvc/S05010016.corp.dnsdom.net:1433
> >
> > C:\>setspn -l s05010097 (this is the web server)
> > Registered ServicePrincipalNames for
> > CN=S05010097,CN=Computers,DC=corp,DC=dnsdom
> > ,DC=net:
> > HOST/S05010097
> > HOST/s05010097.corp.dnsdom.net
> >
> > My account is delegatable. No delegation is set up on the db server or
> > SQL account. Constrained delegation (any protocol) is set up on web
> > server for service s05010016_system only.
> >
> > The thing is that a basic ASP page is working, but ASP.NET is not
> > working (NTAUTHORITY yadda yadda). What is the most likely explanation
> > for this?
> >
> > Cheers,
> >
> > James