Constrained Delegation Problem: SQL partially delegated

Constrained Delegation Problem: SQL partially delegated

am 17.11.2006 16:03:03 von JimLad

Hi,

I have set up delegation and IT WORKS to link through to a back end SQL
server.

However for security reasons I want to limit the services that can be
delegated to to MSSQLSvc on the db server. An SPN has been set up for
the SQL server account on port 1433.

When I swap to constrained delegation a simple asp page with ADO still
works, but my main app doesn't. The technologies used are ASP.NET 1.1
(ADO.NET), ASP (ADO), and SQLXML virtual directory.

I assume that either I need to enable another port or add another
service. Can someone enlighten me?

Cheers,

James

Re: Constrained Delegation Problem: SQL partially delegated

am 17.11.2006 18:05:13 von JimLad

Apologies! Turns out my ASP code was pointing at one db server and
asp.net was pointing at a different db server. Sorry!!

James

JimLad wrote:

> Hi,
>
> I have set up delegation and IT WORKS to link through to a back end SQL
> server.
>
> However for security reasons I want to limit the services that can be
> delegated to to MSSQLSvc on the db server. An SPN has been set up for
> the SQL server account on port 1433.
>
> When I swap to constrained delegation a simple asp page with ADO still
> works, but my main app doesn't. The technologies used are ASP.NET 1.1
> (ADO.NET), ASP (ADO), and SQLXML virtual directory.
>
> I assume that either I need to enable another port or add another
> service. Can someone enlighten me?
>
> Cheers,
>
> James

Re: Constrained Delegation Problem: SQL partially delegated

am 21.11.2006 02:48:35 von Ken Schaefer

Glad you got it working. Kerberos service tickets are based on the SPN (as
you have discovered). the SPN contains a name (NetBIOS, FQDN etc) only. It
does not differentiate between server technologies (e.g. ASP and ASP.NET
pages) for example. If your ASP page is working fine, but your ASP.NET one
isn't, then something else is the matter.

Cheers
Ken

--
My IIS Blog: www.adOpenStatic.com/cs/blogs/ken


"JimLad" wrote in message
news:1163783113.460418.276160@m73g2000cwd.googlegroups.com.. .
> Apologies! Turns out my ASP code was pointing at one db server and
> asp.net was pointing at a different db server. Sorry!!
>
> James
>
> JimLad wrote:
>
>> Hi,
>>
>> I have set up delegation and IT WORKS to link through to a back end SQL
>> server.
>>
>> However for security reasons I want to limit the services that can be
>> delegated to to MSSQLSvc on the db server. An SPN has been set up for
>> the SQL server account on port 1433.
>>
>> When I swap to constrained delegation a simple asp page with ADO still
>> works, but my main app doesn't. The technologies used are ASP.NET 1.1
>> (ADO.NET), ASP (ADO), and SQLXML virtual directory.
>>
>> I assume that either I need to enable another port or add another
>> service. Can someone enlighten me?
>>
>> Cheers,
>>
>> James
>