How to name a SPN (part 2)

As you learned last time, the full syntax of SPN name is: service class/host[:port[/service name]] Today I will be talking about port. Port number is an optional qualifier that you can use to ensure that the SPN is unique in the forest. The default port number for a http request is 80 (and 443 for…

0

How to name a SPN

As previously stated, a SPN is a kind of alias for a domain account. You can have many SPN for a single domain account, but the SPN must be unique in the forest. The name consists of two mandatory parts (service class and host) and two optional parts (port and service name). The full syntax…

0

System.Data.SqlClient.SqlException: Login failed for user ‘NT AUTHORITYANONYMOUS LOGIN’

Depending on how you installed SQL Server you may receve an SqlException -2146232060 when you are connecting to SQL Server from the web server using the credentials of the end user. One probably reason could be an error in the SPN registration. During installation of SQL Server you need to decide what service account you are going…

0

WindowsImpersonationContext

Connecting to a database on a remote SQL Server with the end-user credentials requires that you are impersonating the user in code. Start by ensuring that your web.config does not include impersonation: <system.web>   <authentication mode=“Windows”/>   <identity impersonate=“false”/></system.web> Next modify the section of your code where you are accessing ressources on behalf of the end-user. The concept…

0

Impersonation

The next hurdle to solve is to connect to the database with the correct user. Without doing anything, your connection will be made by the application pool account – in the described scenario that would be the mydomain\hrwebact account. That was not what you wanted. The business requirement were that “all authorization should be managed on the SQL Server”,…

0

Kernel-mode authentication

First a short explanaition on how the Kerberos ticket is encrypted: The client application (e.g. a web browser) is requesting a Kerberos ticket from the Domain Controller (KDC). As part of the communication with the DC, the client is sending the SPN for the service The DC find the domain account that matches the SPN,…

0

Kerberos Delegation

Kerberos Delegation is a feature that allows an application to reuse the end-user credentials to access recourses hosted on a different server. You should only allow that if you really trust the application server, otherwise the application may use your credentials to purposes that you didn’t think of, like sending e-mails on your behalf or…

0

What is a SPN and why should you care?

I remember the first time I saw the acronym SPN when I were introduced to WCF some years ago. After reading the article in MSDN I didn’t feel better. What is a ServicePrincipalName? The way I usually think now (and I apologize for you that don’t know the DNS lingo) is that it is conceptually the same as…

0

Introduction

Hi everyone Finally got around to setting up my blog. For those who don’t know me – I’m Per Nygaard, an Architect in Microsoft Services, Denmark. I joined Microsoft in 1999 as consultant, and I have assisted many customer with both platform related areas (e.g. Windows, IIS and Active Directory) as well as developer related…

0