Internet Information Services
Microsoft web server software.
1,576 questions
Issues with Windows Integrated Authentication in double hop
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 90%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAD%3C/text%3E%3C/svg%3E)
A de Vos
1
Reputation point
Hi,
I'm setting up an website which uses Windows Integrated Authentication. For the website we registered an DNS name with an A-record in the DNS.
We want to use HTTPS and not HTTP.
We have added the URL to the local intranet zone in the domain via a group policy.
For the webserver we created an service account (domain user) and configured:
"Trust for delegation to any services (Kerberos only)"
and we registered an SPN record. For example: HTTP/mywebite.test..company.nl
The SQL Server is runing with an service account and we registered also the appropriate SPN's for this server.
We checked the SPN records via the Microsoft Kerberos Validation Tool and it shows that everything is right configured.
Within IIS we are running an ASP.Net version 4 website. In the website we enabled Windows Authentication, disabled anonymous logon and enabled ASP.NET imporsonation.
Because the application pool is running under the service account that we created, we enabled via the configuration the option UseAppPoolCredentials.
When we browse to the website on the server then we can see that everything is normal and the website is working correctly.
But when we launch the website from on Windows 10 client via Internet Explorer we can logon to the website but when the website contacts SQL server we still get an error "Login failed for: 'NT AUTHORITY\ANONYMOUS LOGON'".
So it seems that the double hop isn't still working.
Questions:
- Is it necessary to register an SPN for the HTTPS connection like: HTTPS/mywebsite.test.company.nl?
- Is it necessary to include the https default portnumber in the SPN record?
This is not the first time that I configured an website that uses Windows Integrated Authentication and also in a situation where a loadbalaner is involded. But now we can't find the issue. We checked everything that we normally also check and we can't find the root cause of this problem.
Anybody an idea where to search?
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(3.2, 24%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESW%3C/text%3E%3C/svg%3E)
Sam Wu-MSFT 7,036 Reputation points Microsoft Vendor2021-03-16T08:53:39.573+00:00 @A de Vos I think there is no necessary to register an SPN for the HTTPS connection, http can also. include the https default portnumber in the SPN record is necessary.
-
Lex Li (Microsoft) 4,662 Reputation points Microsoft Employee2021-03-17T03:30:50.09+00:00 A long while ago you might use a tool named DelegConfig to troubleshoot such issues, but now the tool disappeared from Microsoft download after so many rounds of content migration. You'd better involve your domain administrators to help analyze Kerberos logging to see if they can find more hints, or open a support case via http://support.microsoft.com to involve Microsoft support guys. Such complex issues won't get an answer on a forum.
-
A de Vos 1 Reputation point
2021-03-25T16:00:22.667+00:00 Hi guys,
Thank you for you're replies.The SPN for HTTPS didn't solve the issue.
I have found the DelegConfig v2 tool.
Next week I hope that I can test.
Sign in to comment