1

There is a website set to run on windows authentication. There are 3 web applications under the site, each on their own application pool, but with the same domain account. ASP.NET impersonation, Use App Pool credentials, Use Kernel mode authentication are set to true.

  1. SPN for the website DNS url is in place for the app pool account.
  2. SPN for the SQL service is in place.
  3. App pool account is set to delegate to the SQL service account.

With the above settings in place, the three applications work fine for sometime. Then automatically they stop connecting to the DB with the error "Login failed for user NT Authority\Anonymous Logon".

After resetting IIS, the 3 applications stay up for sometime, then they again stop connecting to DB, one application after another. Weird?

What could be the issue? Any pointers?

T-Heron
  • 5,385
  • 7
  • 26
  • 52
Baskar Lingam Ramachandran
  • 617
  • 9
  • 25
  • 1
    Consult the error log of SQL Server, look at [this page](https://msdn.microsoft.com/library/cc645917), and in general, may God have mercy on your soul because these things are extremely annoying to troubleshoot. – Jeroen Mostert Nov 22 '16 at 18:03
  • @Jeroen - the sql logs are the same as in event viewer of the application server! I hope there will be some other clue. After an IIS reset connection resumes but only for a while. Got to see if it is because of keeping the site idle. – Baskar Lingam Ramachandran Nov 22 '16 at 18:24
  • Can you elaborate more on exactly what you meant by saying it might be "because of keeping the site idle"? – T-Heron Nov 23 '16 at 01:11
  • @THeron After IS reset the site works fine. And I leave it for some time. Then when I refresh the page the connection to SQL breaks. – Baskar Lingam Ramachandran Nov 23 '16 at 07:21
  • As of now, have stopped 2 applications and running only 1 app. The live app is good so far. Had taken this step, since all 3 apps are under same website and all 3 apps are using same domain account for their app pools. Per the MS site https://support.microsoft.com/en-in/kb/907272 the delegation stops working for multiple apps as SPN is provided for the Root Website only. So far the site is up and running. Got to monitor more. Accordingly will need to seek solution to host remaining 2 apps (either with a new site or with a new domain account for app pool). – Baskar Lingam Ramachandran Nov 23 '16 at 11:59
  • Also check the IIS logs. Does the issue coincide with an automatic app pool recycle? You aren't by any chance using Run-As in IE to impersonate a different user? – Nick.Mc Nov 28 '16 at 02:46
  • @ Nick - I will check the IIS logs. By the way could you elaborate a bit on what you mean by "You aren't by any chance using Run-As in IE to impersonate a different user?"? – Baskar Lingam Ramachandran Nov 28 '16 at 08:24

1 Answers1

1

Short Answer:

  1. Create separate websites and app pools.
  2. Create 3 SPNs for three websites.
  3. Create 3 SPNs for three Databases.

Long answer:

  • All 3 web applications have their own Database in the same DB server.
  • A single kerberos ticket is issued for the URL and it works fine as long as only 1 application is hit.

  • But there are 3 web applications sitting underneath the website. So had to create 3 separate websites with different URLs with separate app pools, but using the same app pool identity.

    1. SPNs are set for the 3 DNS entries.
    2. And had to create 3 unique SPNs for the 3 Databases as well.

After the above are done, there are no more issues ! Hurray !

Baskar Lingam Ramachandran
  • 617
  • 9
  • 25