March 3, 2004 at 7:17 am
IIS 6, SQL 2K, Windows authentication to IIS and SQL Server via Kerberos.
Two domains, A and B. IIS and SQL Server are in A, domain account for SQL Server is trusted for delegation, and delegation works fine in "A". Specifically some user in domain A logs into their client PC, hits IIS which connects to SQL Server with a integrated connection string, and SQL Server sees them as the A\user id.
Now a user in domain B logs in. Domain B and A trust each other, but are in different forests. Domain B users are explicitly granted public access on the SQL Server and access to the web pages, and we have confirmed they are connecting to the web server with windows authentication and the web page sees them as themselves (i.e. B\user).
When the SQL Server is the same machine as the IIS server all is well, the SQL Server sees them as themselves.
Delegation does not work, however. When the SQL Server is a different machine than IIS, the error given is:
"Login failed for user '(Null)'. Reason: Not associated with a trusted SQL Server connection".
Again -- when a domain A user does this exact same thing it works fine, and when a domain B user does exactly the same thing but the connection points to the same machine it works fine. So this is not a case where we do not have delegation working or do not have domain trusts working (since the former requires the former, and the latter requires the latter).
This appears to be that delegation does not work right in trusted domains. At least for us. Different forests - keep that in mind.
I cannot find any literature about this case. Most is pre-AD, and what is post AD appears to be domains in the same forest. I haven't called Microsoft yet, trying to exhaust other means.
Has anyone set this up between trusted domains in different forests?
March 3, 2004 at 12:44 pm
These quotes might help you:
" Windows 2000 automatically supports single sign-on for users within a domain forest."
" Kerberos authentication uses transparent transitive trust among domains in a forest, but it cannot authenticate between domains in separate forests. To use a resource in a separate forest, the user has to provide credentials that are valid for logging on to a domain in that forest."
March 3, 2004 at 12:49 pm
Thank you. The second certainly appears on target.
Can you give me a reference, just for my network admin's reading enjoyment?
March 3, 2004 at 12:57 pm
" Windows 2000 automatically supports single sign-on for users within a domain forest."
- Windows 2000 Resource Kit, Planning Distributed Security, Authenticating All User Access
" Kerberos authentication uses transparent transitive trust among domains in a forest, but it cannot authenticate between domains in separate forests. To use a resource in a separate forest, the user has to provide credentials that are valid for logging on to a domain in that forest."
- Windows 2000 Resource Kit, Planning Distributed Security, Authenticating All User Access, Kerberos Authentication and Trust
Viewing 4 posts - 1 through 3 (of 3 total)
You must be logged in to reply to this topic. Login to reply