With a Batch FileI have come across many blogs and websites that go into great detail on how to solve the double hop issue. I have shared these with my colleagues and customers they all think that they seem too complex, and are therefore do not want to use Kerberos.
Solving the Double Hop Issue with Kerberos is not complex.
This diagram illustrates the problem.
This is taken from a very good blog on the same subject which goes into way more detail…
What you need to fix it
- I would recommend running services as a DOMAIN USERs rather than network service or local users. (“services” meaning Application Pools for web sites and SQL services)
- Service Principal Names.
- Local Machine Rights granted to the Service Accounts.
- Act as part of operating system
- Impersonate user
- Settings in AD for the Machines to allow delegation.
- Settings in AD for the Service Accounts to allow delegation.
What does this meanA Service Principal Name (SPN) is the name by which a client uniquely identifies an instance of a service. For example HTTP/Servername is the SPN for a web site at Servername. MSSQLSvc/ServerName:1234 is the SPN for a SQL Service running on Servername on Port 1234 (see http://msdn.microsoft.com/en-us/library/ms677949(VS.85).aspx for more information on service principal names).
Local Machine rights are managed with Local Security Policy (found under Administrative Tools) .
Both AD settings are edited with the MMC Snap-in “Active Directory Users and Computers”. You need to allow both the service users and the machine to delegate.
Some tools from the web
You need :
- Found on the windows resource kit
- NTRIGHTS.EXE (Set local machine rights)
- Installed with IIS
- On codeplex
- Below and on codeplex
The Batch File
@REM Setup VARS
@REM WEBID is the WEBSITE ID, THE Default website is 1
@REM Use adsutil to config IIS to use kerberos
cscript C:\inetput\adminscripts\adsutil.vbs set w3svc/WebSite/root/NTAuthenticationProviders Negotiate
@REM Use SETSPN to create the SPNs
setspn -A HTTP/%MACHINE1% %USERACCOUNT%
setspn -A HTTP/%MACHINE1%.%FQDN% %USERACCOUNT%
setspn -A HTTP/%MACHINE2% %USERACCOUNT%
setspn -A HTTP/%MACHINE2%.%FQDN% %USERACCOUNT%
@REM Use NTRIGHTS to enable Act as part of operating system and
@REM Impersonate a client after authentication
ntrights +r SeTcbPrivilege -u %USERACCOUNT% -m \\%MACHINE1%
ntrights +r SeTcbPrivilege -u %USERACCOUNT% -m \\%MACHINE2%
ntrights +r SeImpersonatePrivilege -u %USERACCOUNT% -m \\%MACHINE1%
ntrights +r SeImpersonatePrivilege -u %USERACCOUNT% -m \\%MACHINE2%
@REM Use VB Scripts to give the user the delegate right
cscript userdelegation.vbs %USERACCOUNT% enable
@REM Use VB Scripts to give the machine the delegate right
cscript machinedelegation.vbs %MACHINE1%
cscript machinedelegation.vbs %MACHINE2%
@REM Use IISRESET to restart IIS on both servers
Really good external websitesblog foo
ASP.NET Applicaiton to help