Kerberos Double Hop

Question

We have the infamous Kerberos double hop issue.

This is a brand new domain, being migrated from another provider where impersonation and delegation was previously working. We have upgraded OS's and to the latest SQL server (2017).

WPF app (using domain creds) -> Web Service (WCF app on IIS 10) -> SQL 2017 (named instance)

The web service is running under a domain account. The web service has an spn registered, Anonymous Auth is disabled as is forms auth, ASP.NET Impersonation and Windows Auth is enabled. Providers are "Negotiate and NTLM," "Kernal Mode" is disabled, "Use App Pool credentials" is enabled. SPN created:

HTTP/<url of web service> <AppPool Creds>

We are able to login to the web service via a browser on a remote computer, enter domain credentials and have the expected response (web page displayed). IIS Log shows domain user creds as expected.

The SQL server is a named instance, running under domain creds. SPNs created:

MSSQLSvc/<fqdn>:<Instance> <SQL Domain Creds>

MSSQLSvc/<sql server netbios>:<Instance> <SQL Domain Creds>

MSSQLSvc/<fqdn>:<port> <SQL Domain Creds>

MSSQLSvc/<sql server netbios>:<port> <SQL Domain Creds>

The IIS App Pool user account in AD is setup for constrained delegation to the SQL server for both the port and the named instance.

When logging in through software to web service (WPF calling WCF Service with no database call), a normal response is seen.

When logging in through software to web service with a database call, sql profiler shows Anonymous Logon. With Kerberos Logging enabled on IIS box, the following error is received:

Error Code: 0xd KDC_ERR_BADOPTION

Extended Error: 0xc0000225 KLIN(0)

Server Name: MSSQLSvc/<sql server fqdn>:49942

Target Name: MSSQLSvc/<sql server fqdn>:49942@<domain.com>

We also tried unconstrained delegation, but received same result.

SETSPN -X shows no duplicates.

Thank you in advance for your help!

KDC_ERR_BADOPTION usually implies an issue with the middle server(IIS server in this case). Can you remove NTLM as a provider? you don't want that as even an option. NTLM may be giving you a false positive that the IIS server is configured correctly. — StrayCatDBA, Apr 26 '18 at 17:43
ok. NTLM removed. IIS Restarted. Same issue. Logged into website with domain creds and continued to work as before. Also tested software without database hit, and it too works as before. I agree this issue is with middle server. I noticed the error message didn't get correctly pasted, so I have updated it. — Greg, Apr 26 '18 at 17:51
"this is a brand new domain". are some of your servers still in older AD domain? If so, check their compatibility levels. If for example, one AD is running in 2003 compat mode, then it wouldn't support some encryption options for Kerberos tickets. KDC_ERR_BADOPTION — Tagar, Apr 26 '18 at 20:28
No. All are Windows 2016. The domain was started from scratch vs. a migration. — Greg, Apr 26 '18 at 20:33

score 1 · Accepted Answer · answered Apr 26 '18 at 22:55

1

When all else fails, and you've literally spent days and days working on the problem and reading every article on the Internet:

REBOOT

Yup. That was the fix. Rebooting the IIS server which was the server delegating the permissions, fixed the issue.

For those looking to quickly and easily setup constrained delegation between IIS and an instance of SQL, both running under custom domain creds, set your settings exactly as above and reboot.

Best wishes.

answered Apr 26 '18 at 22:55

Greg

85
1
8

Please self-mark your answer as accepted. It's allowable. This signposts the question to others who also may be searching about same problem. – T-Heron Apr 29 '18 at 23:48

Kerberos Double Hop

1 Answers1

Linked