March 21, 2011 at 1:25 pm
I have 3 servers - all on a network. The web applications I am running are on the intranet the servers are on.
Server 1 is the current 'Live' server that hosts the web application. It is running Windows Server 2003.
Server 2 is going to be the 'Live' server one of these days - it is running Windows Server 2008 R2.
Server 3 is running Windows Server 2008 R2 and SQL Server 2008. The live database is on here.
Windows authentication is used.
Any application I publish to the current live server (Server 1) has no trouble connecting to the live database (Server 3)
If I publish an application to what will be the new live server (Server 2) - when I try to run the application from any user's machine an error message is displayed that states that login failed for 'NT Authority\ANONYMOUS LOGON'
If I open IIS on Server 2 and browse the application - it connects to the database on Server 3 with no problems.
So, as I understand it, this is a delegation issue.
When the database server receives requests from Server 1 - it is happy to accept the delegated log-ins for any user. But, when the database server receives requests from Server 2 it says 'no thanks'.
So, my question is .... how / where can I see that Sql Server on Server 3 is happy to accept delegated requests from Server 1 and how/where do I tell it to accept delegated requests from Server 2?
Apologies if my terminology is incorrect.
Thanks for any help.
March 21, 2011 at 2:07 pm
What you're looking at is multi-step authentication. Wince, grit your teeth, and do an online search for "kerberos". You can also search for "NT AUTHORITY/ANONYMOUS LOGIN", and you'll get more data, but pretty much the same solutions.
Most of the time, I've found using SQL authentication better for those situations. Is that an option for you?
- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread
"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
March 21, 2011 at 2:52 pm
GSquared (3/21/2011)
What you're looking at is multi-step authentication. Wince, grit your teeth, and do an online search for "kerberos".
:-D:-D totally agree :-D:-D
March 21, 2011 at 3:53 pm
It's also known as the "double-hop issue" (winces, grits teeth)
There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato
March 21, 2011 at 4:13 pm
<---- Winced and gritted as soon as I saw the error. Double-hop my... boot.
Never stop learning, even if it hurts. Ego bruises are practically mandatory as you learn unless you've never risked enough to make a mistake.
For better assistance in answering your questions[/url] | Forum Netiquette
For index/tuning help, follow these directions.[/url] |Tally Tables[/url]
Twitter: @AnyWayDBA
March 21, 2011 at 4:46 pm
GSquared (3/21/2011)
What you're looking at is multi-step authentication. Wince, grit your teeth, and do an online search for "kerberos". You can also search for "NT AUTHORITY/ANONYMOUS LOGIN", and you'll get more data, but pretty much the same solutions.Most of the time, I've found using SQL authentication better for those situations. Is that an option for you?
I don't think SQL Authentication is an option at this stage ... there are hundreds of users and hundreds of audit tables that are populated using suser_sname() to record who did what.
What I don't get is ... why is this so complicated - why isn't there some sort of user interface to set this up? And, how and where it is already set up for the existing live server that authenticates with windows authentication already.
Thanks to all for comments - I had already read various articles on 'kerboros' and delegation and, to be honest, I don't understand a word of them - hence my question on here. I was just hoping that someone here would be able to explain it in English.
March 21, 2011 at 5:05 pm
sku370870 (3/21/2011)
GSquared (3/21/2011)
What you're looking at is multi-step authentication. Wince, grit your teeth, and do an online search for "kerberos". You can also search for "NT AUTHORITY/ANONYMOUS LOGIN", and you'll get more data, but pretty much the same solutions.Most of the time, I've found using SQL authentication better for those situations. Is that an option for you?
I don't think SQL Authentication is an option at this stage ... there are hundreds of users and hundreds of audit tables that are populated using suser_sname() to record who did what.
What I don't get is ... why is this so complicated - why isn't there some sort of user interface to set this up? And, how and where it is already set up for the existing live server that authenticates with windows authentication already.
Thanks to all for comments - I had already read various articles on 'kerboros' and delegation and, to be honest, I don't understand a word of them - hence my question on here. I was just hoping that someone here would be able to explain it in English.
I usually tag my network admins when this happens and explain to them that I'm doublehopping, they take it from there. You have to know Kerberos, it's setup, and its integration to windows to get this to behave itself.
Never stop learning, even if it hurts. Ego bruises are practically mandatory as you learn unless you've never risked enough to make a mistake.
For better assistance in answering your questions[/url] | Forum Netiquette
For index/tuning help, follow these directions.[/url] |Tally Tables[/url]
Twitter: @AnyWayDBA
March 21, 2011 at 5:16 pm
Craig Farrell (3/21/2011)
I usually tag my network admins when this happens and explain to them that I'm doublehopping, they take it from there.
You have it good...
I wished many times that I had had the option to throw the double-hop one over the wall when I had to deal with it 😉
There are no special teachers of virtue, because virtue is taught by the whole community.
--Plato
March 21, 2011 at 5:17 pm
opc.three (3/21/2011)
Craig Farrell (3/21/2011)
I usually tag my network admins when this happens and explain to them that I'm doublehopping, they take it from there.You have it good...
I wished many times that I had had the option to throw the double-hop one over the wall when I had to deal with it 😉
The life of the consultant. "Do you want me to waste your money while I learn basic networking principals, or shall I hand this off to your networking staff?"
It's all in how you phrase things. 😉
Never stop learning, even if it hurts. Ego bruises are practically mandatory as you learn unless you've never risked enough to make a mistake.
For better assistance in answering your questions[/url] | Forum Netiquette
For index/tuning help, follow these directions.[/url] |Tally Tables[/url]
Twitter: @AnyWayDBA
Viewing 9 posts - 1 through 8 (of 8 total)
You must be logged in to reply to this topic. Login to reply