Kerberos and Windows Authentication Delegation

In an enterprise network with multiple servers and IIS, logins can become a problem because a user may be logged in to one server that is accessing another server. This problem arises because each server must have a trust relationship with the others. For internal company servers, this may not be a problem, but when one of those servers sits in an internal network exposed to untrusted networks such as the case of a perimeter network or DMZ (de-militarized network zone) on the Internet for example, you may not want to establish that trust because it presents a security hole.

Security delegation is a Windows feature that uses Kerberos to pass security information among trusted servers.

For example, a user can access IIS, which can access a SQL Server, and the SQL Server sees the user as the username even though the connection came from IIS.

A few conditions must be met for Kerberos to work:

• All servers must run Windows 2000 or later and run Active Directory in the same domain or within the same trust tree.
• Do not select the Account Is Sensitive and Cannot Be Delegated option for the user account.
• Select the Account Is Trusted for Delegation option for the SQL Server service account.
• Select the Computer Is Trusted for Delegation option for the server running SQL Server.
• SQL Server must have a Service Principal Name (SPN), created by setspn.exe, available in the Windows 2000 Resource Kit.

Security delegation is somewhat difficult to ...