So one of two things have happened.
1. You thought I would never post again or
2. you thought I changed my name to Matt. Well to start off the new year here is my start at weekly posts.
You might ask what the two hop limit is. A very simple explanation of this limit is that impersonation authentication can only be exchanged between two machines by default. This means that if Machine A requests work to be done on Machine B for an impersonated user; Machine B can perform the work, but cannot offload the work to Machine C because the authentication for the user will fail. The easiest way to fix this is by Implement Kerberos Delegation.
Now you are probably asking why this might be of any importance. This comes up most often when using web pages that impersonate the current user and that make calls to web services, a database server, or both. An interesting place to see this is in Microsoft’s Reporting Services which uses web services as the main method of execution yet is promoted to be used with a web front end.
Disclaimer: You should consult with your network administrator to make sure implementing Kerberos delegation will not cause any other problems before rolling out to production. Problems might be things like changing the entire virtual directory to use windows authentication or Authentication may fail with "401.3" Error if Web site's "Host Header" differs from server's NetBIOS name.
Here is an example of where you would run into a problem and be able to fix the problem by turning on Kerberos delegation. Let’s say you have three machines: Machine A is a web server running IIS 6 and ASP.NET, Machine B is a Report Server running Microsoft Reporting Services, and Machine C is a database server running Microsoft SQL Server.
Now let’s say that the web page uses the NT login to determine if the user has access to the web page, to determine the parameters of the report to run, and to be used as the login to the database to give back specific information about the user.
Your chain of execution would be:
- User calls webpage from IE and ASP.NET impersonates current user and Enable Integrated Windows Authentication.
<system.web>
< identity impersonate ="true"/>
- ASP.NET pages call Reporting Services web service for report passing the current security context.
' Create an instance of the ReportServer webservice
Dim proxy As New ReportServer.ReportingService
proxy.Url =
"http://localreportserver/ReportServer/ReportService.asmx“
' Set the user to be the default user, in this case
' the default user will be the windows user that IIS
' is Impersonating.
proxy.Credentials =
System.Net.CredentialCache.DefaultCredentials
- The Report is set up with the dataset to use Windows NT Integrated Security
- The Database is set up for all domain users to run stored procedures.
If the security information has to be passed from Machine A thru Machine B onto Machine C and the web server is using Impersonation then you will have to turn on Kerberos Delegation or you will get a SQL Server message say “Login Failed for User (Null). Reason: Not associated with a trusted SQL Server connection”, which really in this case means invalid user credentials. So you get with your network administrator open up Active Directory and set the correct settings for Kerberos delegation and off you go.
Another great article on this is at Ode to Code by Scott Allen
Thanks to Matt Ranlett for great feedback and for the never ending help on articles.
-- Brendon Schwartz