AdeVos-3655 avatar image
0 Votes"
AdeVos-3655 asked AdeVos-3655 commented

Issues with Windows Integrated Authentication in double hop


I'm setting up an website which uses Windows Integrated Authentication. For the website we registered an DNS name with an A-record in the DNS.

We want to use HTTPS and not HTTP.

We have added the URL to the local intranet zone in the domain via a group policy.

For the webserver we created an service account (domain user) and configured:
"Trust for delegation to any services (Kerberos only)"
and we registered an SPN record. For example: HTTP/

The SQL Server is runing with an service account and we registered also the appropriate SPN's for this server.
We checked the SPN records via the Microsoft Kerberos Validation Tool and it shows that everything is right configured.

Within IIS we are running an ASP.Net version 4 website. In the website we enabled Windows Authentication, disabled anonymous logon and enabled ASP.NET imporsonation.

Because the application pool is running under the service account that we created, we enabled via the configuration the option UseAppPoolCredentials.

When we browse to the website on the server then we can see that everything is normal and the website is working correctly.

But when we launch the website from on Windows 10 client via Internet Explorer we can logon to the website but when the website contacts SQL server we still get an error "Login failed for: 'NT AUTHORITY\ANONYMOUS LOGON'".

So it seems that the double hop isn't still working.

1) Is it necessary to register an SPN for the HTTPS connection like: HTTPS/
2) Is it necessary to include the https default portnumber in the SPN record?

This is not the first time that I configured an website that uses Windows Integrated Authentication and also in a situation where a loadbalaner is involded. But now we can't find the issue. We checked everything that we normally also check and we can't find the root cause of this problem.

Anybody an idea where to search?

· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@AdeVos-3655 I think there is no necessary to register an SPN for the HTTPS connection, http can also. include the https default portnumber in the SPN record is necessary.

1 Vote 1 ·

A long while ago you might use a tool named DelegConfig to troubleshoot such issues, but now the tool disappeared from Microsoft download after so many rounds of content migration. You'd better involve your domain administrators to help analyze Kerberos logging to see if they can find more hints, or open a support case via to involve Microsoft support guys. Such complex issues won't get an answer on a forum.

1 Vote 1 ·

Hi guys,
Thank you for you're replies.

The SPN for HTTPS didn't solve the issue.

I have found the DelegConfig v2 tool.
Next week I hope that I can test.

0 Votes 0 ·

0 Answers