Post reply

Constrained delegation on client-SS2k-SS2k scenario

  • April 26, 2006 at 3:10 pm

    #171305

    I am trying to create constrained delegation for the following secnario:

    client (c_accnt) - uses TCP/IP, Kerberos, no named pipes; account is not sensitive and can be delegated; cleint machine is Win XP Professional SP2.

    SS2k1 (runs under s_acc1) - uses TCP/IP, no named pipes, operating system on the SS2k1 machine is Win2K; SPN created on s_acc1 for SS2K1: MSSQLSvc/SS2K1.mydomain.com:1433 and MSSQLSvc/SS2K1:1433

    SS2k2 (runs under s_acc2) - uses TCP/IP, no named pipes, operating system on the SS2k2 machine is Win2K; SPN created on s_acc2 for SS2K2: MSSQLSvc/SS2K2.mydomain.com:1433 and 

    MSSQLSvc/SS2K2:1433

    Domain and forest functional levels are Windows 2003.

    I want to use constrained delegation between these 2 SS2K servers in both directions. If I use unconstrained delegation (i.e. for both computer and account I check the middle option in the DELGATION tab) is working fine. This means that I can connect on client machine, access theSS2K1 and from there access SS2K using c_accnt credentials.

    If I try to contraint the SQL server account to only delegate to the other SQL Server account, and only to it, then the double hop stops working.

    I am not confortable using the uncostrained delegation so I would appreciate if anybody will give me any advise how to set up the constraint. I did everything like in Microsoft documentation, but it seems that I miss some small printes somewhere. So, if I use the third option in the Delegation tab for s_acc1 (Trust this user for delegation to sepcified services only, Kerberos only), for example, what should the list "Services to which this account can present delegated credentials" contain?

    Gabriela

  • April 26, 2006 at 10:45 pm

    #634480

    It should only contain MSSQLSvc with the appropriate servername and port. This article might be of some help:

    Kerberos Protocol Transition and Constrained Delegation

    K. Brian Kelley
    @kbriankelley

  • April 27, 2006 at 8:22 am

    #634592

    Can you be more specific?

    Must be

    MSSQLSvc/SS2K2/1433 or/and MSSQLSvc/SS2K2.mydomain.com/1433

    or

    MSSQLSvc/SSK1/1433or/and MSSQLSvc/SS2K1.mydomain.com/1433

    (assuming that I use for all of them the default port 1433)

    And something else: do you use it this way and is working? Because I read the documentation several times, I tried all the combinations I could think of and still doesn't work.

Viewing 3 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic. Login to reply