Delegation Failure - Tech Support

Delegation Failure: Posted by Paul L on January 28th, 2004; I have a domain with SBS2003 server running IIS on one machine and Windows
Server 2003 running SQL 2000 on another. IIS uses integrated authentication
only, and delegation between IIS and SQL was working as advertised (all the
right checkboxes in Active Dir we set correctly, SQL used the authenticated
client, etc).

We recently added the server with SQL as a Domain Controller so it could be
used as a backup. Once it came on line, delegation stopped working, and IIS
attempts to log in to SQL as the 'NT AUTHORITY\ANONYMOUS LOGON' user, which,
of course, fails.

I am going to remove the DC off of the SQL server, but I though someone
might know why having the second DC on the SQL server kills delegation.

Thanks,
Paul; Posted by Dmitri Gavrilov [MSFT] on January 28th, 2004; What service account is SQL using? NetworkService or LocalSystem? Note that
when it was living on a member server, those accounts were mapped to the
computer account, and this account was used when SQL was accessing network
resources. Now, when SQL lives on the DC, so called "loopback
authentication" is taking place, and SQL comes to DC authenticated as
NetworkServer or LocalSystem, respectively.

Generally speaking, running two important services on one machine is unsafe.
If one is compromised, the other one will fall too. We do not recommend
running anything on a DC.

--
Dmitri Gavrilov
SDE, Active Directory Core

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"Paul L" <nospam@loring.net> wrote in message
news:u5x2oRc5DHA.2392@TK2MSFTNGP11.phx.gbl...; Posted by Les Connor [SBS MVP] on January 28th, 2004; Let's be careful here ;-).

This is kind of an SBS question, it was wrongly cross posted to a whole
bunch of newsgroups and the discussion might not necessarily accurately
reflect an SBS scenario. Such as the following:

--
Les Connor [SBS MVP]
-------------------------------------
SBS Rocks !

"Dmitri Gavrilov [MSFT]" <dmitrig@online.microsoft.com> wrote in message
news:eSmSyWe5DHA.2556@TK2MSFTNGP09.phx.gbl...; Posted by Paul L on January 29th, 2004; Les,

It was "wrongly" posted to the 3 (whole bunch?) newsgroups for the systems
involved. I have a problem that could be in any of the 3 places, SBS, SQL
or AD.

Furthermore, I have no idea what you are trying to say in your reply.

-Paul

"Les Connor [SBS MVP]" <les.connor@DEL.cfive.ca> wrote in message
news:ekZiRmf5DHA.2720@TK2MSFTNGP09.phx.gbl...

Similar Posts

Trusted for delegation -> Catastrohpic Failure of MSCRM (Windows CRM) by M
Task Delegation (Handhelds & Wireless) by Qamar Aftab
Delegation Failure (Windows 2003) by Paul L
Task Delegation (Windows 2003) by Derek Melber
Delegation Prob. (Windows 2003) by Wazb