Server 2003 running SQL 2000 on another. IIS uses integrated authentication
only, and delegation between IIS and SQL was working as advertised (all the
right checkboxes in Active Dir we set correctly, SQL used the authenticated
client, etc).
We recently added the server with SQL as a Domain Controller so it could be
used as a backup. Once it came on line, delegation stopped working, and IIS
attempts to log in to SQL as the 'NT AUTHORITY\ANONYMOUS LOGON' user, which,
of course, fails.
I am going to remove the DC off of the SQL server, but I though someone
might know why having the second DC on the SQL server kills delegation.
Thanks,
PaulI can tell you that SQL running on a DC is not recommended nor is it
tested with SQL 2000.
The best way to determine what is wrong is to make network traces from the
client machine, and use Kerbtray on the client to verify that it is in fact
getting Kerberos ticket for IIS.
Thanks,
Kevin McDonnell
Microsoft Corporation
This posting is provided AS IS with no warranties, and confers no rights.|||Kevin,
Thanks for your reply. I will look into Kerbtray.
Re: SQL2000 on a DC not supported, isn't that what SBS2003 Premium is?
-Paul
"Kevin McDonnell [MSFT]" <kevmc@.online.microsoft.com> wrote in message
news:sT8Angd5DHA.4028@.cpmsftngxa07.phx.gbl...
quote:
> I can tell you that SQL running on a DC is not recommended nor is it
> tested with SQL 2000.
> The best way to determine what is wrong is to make network traces from the
> client machine, and use Kerbtray on the client to verify that it is in
fact
quote:|||What service account is SQL using? NetworkService or LocalSystem? Note that
> getting Kerberos ticket for IIS.
> Thanks,
> Kevin McDonnell
> Microsoft Corporation
> This posting is provided AS IS with no warranties, and confers no rights.
>
>
when it was living on a member server, those accounts were mapped to the
computer account, and this account was used when SQL was accessing network
resources. Now, when SQL lives on the DC, so called "loopback
authentication" is taking place, and SQL comes to DC authenticated as
NetworkServer or LocalSystem, respectively.
Generally speaking, running two important services on one machine is unsafe.
If one is compromised, the other one will fall too. We do not recommend
running anything on a DC.
Dmitri Gavrilov
SDE, Active Directory Core
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"Paul L" <nospam@.loring.net> wrote in message
news:u5x2oRc5DHA.2392@.TK2MSFTNGP11.phx.gbl...
quote:
> I have a domain with SBS2003 server running IIS on one machine and Windows
> Server 2003 running SQL 2000 on another. IIS uses integrated
authentication
quote:
> only, and delegation between IIS and SQL was working as advertised (all
the
quote:
> right checkboxes in Active Dir we set correctly, SQL used the
authenticated
quote:
> client, etc).
> We recently added the server with SQL as a Domain Controller so it could
be
quote:
> used as a backup. Once it came on line, delegation stopped working, and
IIS
quote:
> attempts to log in to SQL as the 'NT AUTHORITY\ANONYMOUS LOGON' user,
which,
quote:|||Let's be careful here ;-).
> of course, fails.
> I am going to remove the DC off of the SQL server, but I though someone
> might know why having the second DC on the SQL server kills delegation.
> Thanks,
> Paul
>
>
This is kind of an SBS question, it was wrongly cross posted to a whole
bunch of newsgroups and the discussion might not necessarily accurately
reflect an SBS scenario. Such as the following:
quote:
> Generally speaking, running two important services on one machine is
unsafe.
quote:
> If one is compromised, the other one will fall too. We do not recommend
> running anything on a DC.
Les Connor [SBS MVP]
--
SBS Rocks !
"Dmitri Gavrilov [MSFT]" <dmitrig@.online.microsoft.com> wrote in message
news:eSmSyWe5DHA.2556@.TK2MSFTNGP09.phx.gbl...
quote:
> What service account is SQL using? NetworkService or LocalSystem? Note
that
quote:
> when it was living on a member server, those accounts were mapped to the
> computer account, and this account was used when SQL was accessing network
> resources. Now, when SQL lives on the DC, so called "loopback
> authentication" is taking place, and SQL comes to DC authenticated as
> NetworkServer or LocalSystem, respectively.
> Generally speaking, running two important services on one machine is
unsafe.
quote:
> If one is compromised, the other one will fall too. We do not recommend
> running anything on a DC.
> --
> Dmitri Gavrilov
> SDE, Active Directory Core
> This posting is provided "AS IS" with no warranties, and confers no
rights.
quote:|||Les,
> Use of included script samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm
> "Paul L" <nospam@.loring.net> wrote in message
> news:u5x2oRc5DHA.2392@.TK2MSFTNGP11.phx.gbl...
Windows[QUOTE]
> authentication
> the
> authenticated
> be
> IIS
> which,
>
It was "wrongly" posted to the 3 (whole bunch?) newsgroups for the systems
involved. I have a problem that could be in any of the 3 places, SBS, SQL
or AD.
Furthermore, I have no idea what you are trying to say in your reply.
-Paul
"Les Connor [SBS MVP]" <les.connor@.DEL.cfive.ca> wrote in message
news:ekZiRmf5DHA.2720@.TK2MSFTNGP09.phx.gbl...
quote:|||Hi Paul,
> Let's be careful here ;-).
> This is kind of an SBS question, it was wrongly cross posted to a whole
> bunch of newsgroups and the discussion might not necessarily accurately
> reflect an SBS scenario. Such as the following:
>
> unsafe.
> --
> Les Connor [SBS MVP]
> --
> SBS Rocks !
>
> "Dmitri Gavrilov [MSFT]" <dmitrig@.online.microsoft.com> wrote in message
> news:eSmSyWe5DHA.2556@.TK2MSFTNGP09.phx.gbl...
> that
network[QUOTE]
> unsafe.
> rights.
> Windows
(all[QUOTE]
could[QUOTE]
and[QUOTE]
someone[QUOTE]
delegation.[QUOTE]
>
Yes. The Premium version of SBS contains SQL 2000.
My reply was based upon your statement:
"We recently added the server with SQL as a Domain Controller so it could be
used as a backup"
Based upon this statement, my response is that I would not recommend SQL
2000 on a DC.
My recommendation as far as troubleshooting is the same.
The best way to determine what is wrong is to make network traces from the
client machine, and use Kerbtray from the Windows 2000 Resource kit on the
client to verify that it is in fact
getting Kerberos ticket for IIS.
To download the Kerbtray utility, visit the
following Microsoft Web site:
http://www.microsoft.com/windows200...isting/kerbtray
-o.asp
Thanks,
Kevin McDonnell
Microsoft Corporation
This posting is provided AS IS with no warranties, and confers no rights.
No comments:
Post a Comment