Kerberos双跳 [英] Kerberos Double Hop

问题描述

我们遇到了臭名昭著的Kerberos双跳问题.

We have the infamous Kerberos double hop issue.

这是一个全新的域，已从以前进行模拟和委派的其他提供商迁移而来.我们已将操作系统升级到最新的SQL Server(2017).

This is a brand new domain, being migrated from another provider where impersonation and delegation was previously working. We have upgraded OS's and to the latest SQL server (2017).

WPF应用程序(使用域凭据)-> Web服务(IIS 10上的WCF应用程序)-> SQL 2017(命名实例)

WPF app (using domain creds) -> Web Service (WCF app on IIS 10) -> SQL 2017 (named instance)

该Web服务在域帐户下运行.该Web服务已注册了spn，禁用了匿名身份验证以及表单身份验证，ASP.NET模拟和启用了Windows身份验证.提供程序是协商和NTLM"，内核模式"已禁用，使用应用程序池凭据"已启用. SPN已创建:

The web service is running under a domain account. The web service has an spn registered, Anonymous Auth is disabled as is forms auth, ASP.NET Impersonation and Windows Auth is enabled. Providers are "Negotiate and NTLM," "Kernal Mode" is disabled, "Use App Pool credentials" is enabled. SPN created:

HTTP/<url of web service> <AppPool Creds> 

我们能够通过远程计算机上的浏览器登录到Web服务，输入域凭据并获得预期的响应(显示网页). IIS日志按预期显示了域用户的信誉.

We are able to login to the web service via a browser on a remote computer, enter domain credentials and have the expected response (web page displayed). IIS Log shows domain user creds as expected.

SQL Server是一个命名实例，在域凭据下运行.创建的SPN:

The SQL server is a named instance, running under domain creds. SPNs created:

MSSQLSvc/<fqdn>:<Instance> <SQL Domain Creds>

MSSQLSvc/<sql server netbios>:<Instance> <SQL Domain Creds>

MSSQLSvc/<fqdn>:<port> <SQL Domain Creds>

MSSQLSvc/<sql server netbios>:<port> <SQL Domain Creds>

已设置AD中的IIS应用程序池用户帐户，以用于端口和命名实例的约束委派到SQL Server.

The IIS App Pool user account in AD is setup for constrained delegation to the SQL server for both the port and the named instance.

通过软件登录到Web服务时(WPF调用WCF服务而没有数据库调用)时，可以看到正常的响应.

When logging in through software to web service (WPF calling WCF Service with no database call), a normal response is seen.

使用数据库调用通过软件登录到Web服务时，sql profiler显示匿名登录".在IIS框中启用Kerberos日志记录的情况下，收到以下错误:

When logging in through software to web service with a database call, sql profiler shows Anonymous Logon. With Kerberos Logging enabled on IIS box, the following error is received:

Error Code: 0xd KDC_ERR_BADOPTION

Extended Error: 0xc0000225 KLIN(0)

Server Name: MSSQLSvc/<sql server fqdn>:49942

Target Name: MSSQLSvc/<sql server fqdn>:49942@<domain.com>

我们还尝试了无限制的委派，但收到了相同的结果.

We also tried unconstrained delegation, but received same result.

SETSPN -X显示没有重复.

SETSPN -X shows no duplicates.

预先感谢您的帮助！

推荐答案

当其他所有方法都失败时，您就花了很多天的时间解决问题并阅读Internet上的每篇文章:

When all else fails, and you've literally spent days and days working on the problem and reading every article on the Internet:

REBOOT

是的.就是这样.重新启动作为委派权限的服务器的IIS服务器，可以解决此问题.

Yup. That was the fix. Rebooting the IIS server which was the server delegating the permissions, fixed the issue.

对于希望快速轻松地在IIS和SQL实例之间设置约束委派的用户(都在自定义域凭据下运行)，请按照上述设置进行设置，然后重新启动.

For those looking to quickly and easily setup constrained delegation between IIS and an instance of SQL, both running under custom domain creds, set your settings exactly as above and reboot.

最良好的祝愿.

这篇关于Kerberos双跳的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！