I would like to have a setup where my IIS web server sits on a different virtual server from where my SQL Server is installed, and Windows Authentication should be used for all connections. I am currently getting the dreaded Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON' error which a script running on the IIS server runs a query against the SQL Server, which from all my research points to the double hop problem. I tried setting up SPN's to resolve the problem, but didn't really get anywhere. Here is where I am so far:
- In IIS, I have disabled Anonymous Authentication, and enabled Windows Authentication. The Negotitiate provider has precedence over the NTLM provider
- The application pool is set to use the
NetworkService - In ActiveDirectory, both servers (
serveriisandserversql) are set up to allow delegation for all services - The SQL Server service runs using the
svc_sqluser, which has delegation enabled - Let's call the domain
corp.domain.com, and I would like to be able to useinternalas the URL for the intranet website - I believe that the web site should not use the application pool credentials, and should use kernel mode, though I am not 100% certain that is correct
I have tried setting up SPN's for the HTTP service with either the machine account, or the service accounts, but it did not work. The only change I managed to produce was that Chrome gave me a ERR_INVALID_AUTH_CREDENTIALS error when I used the service account. Setting up SPN's for the database (MSSQLSvc) didn't seem to do anything either. I didn't try to use all of the different permutations of machine account/service account for both servers. I have literally spent 2 days trying to get this to work but all the resources I have found online did not point me to the right solution. Both virtual servers are running Windows 2008 R2. I would be very grateful if someone could point me to a solution that does not involve me running IIS on the same server as the database.
