Windows Server


Kerberos Double-hop    



Kerberos Double-hop




Kerberos Double-hop


+ On the client we can Ping the middle tier (Application server) and the backend sql servers by FqDN.

+ Made the Middle server trusted for delegation for any service over kerberos protocol.

+ Made the Max packet size registry key

+ Checked SMB: correct.


+ Client is using IE 5.5+

+ No proxy server is used.

+ Now the cx made the Middle tier service to run in context to a user account

+ Made the following group policy settings:


"Act as part of Operating System".

"Impersonate a client after authentication".





Action Plan - Gather the following information and do the following actions:

1. Do “setspn -L domain\serviceaccount” on a server in the farm. The Service Account should be the one that runs your web application. Please send me an email with the information that setspn returns as well as a list of all alternate access mappings for that web application.

2. In Active Directory, confirm that the account that runs the web application is trusted for delegation by doing the following steps:

a. Locate the account and right click it, then select 'Properties'.

b. Navigate to the 'Delegation' tab.

c. Choose 'Trust this user/computer for delegation to any service (Kerberos)'.

3. Make sure delegation is enabled in Component Services using the following steps:

a. Go to Administrative Tools and open Component Services.

b. Navigation to Component Services > Computers > My Computer.

c. Click on Properties (for My Computer) > Default Properties > Default Impersonation Level = Delegate.

d. Navigate to Component Services > Computers > My Computer > DCOM Config > IIS WAMREG Admin Service.

e. Click on Properties (for IIS WAMREG Admin Service) and navigate to the Security tab.

f. Edit Launch and Activate Permissions.

g. Grant the application pool account 'Local Activation' permissions.

4. IISReset to get everything reset.




Understanding Kerberos Double Hop


Kerberos Double Hop is a term used to describe our method of maintaining the client's Kerberos authentication credentials over two or more connections. In this fashion we can retain the user’s credentials and act on behalf of the user in further connections to other servers.


Please make sure you read the previous Kerberos for the busy admin post as I will reference terms used in that blog frequently.


The Kerberos TGT is the user’s identity. When we pass this ticket along with the service ticket we can re-use the KrbTGT to request other service tickets to speak with our service resources on our network.


There are requirements for a service to be able to perform Kerberos double hop. The service account needs to be trusted for delegation. Meaning it must be trusted to act upon another user’s behalf. Source and target servers must be in the same forest or there must be a forest level trust between forests and the first level service account must be in the trusted forest root.



How it Works:

Step 1 - Client provides credentials and domain controller returns a Kerberos TGT to the client.

Step 2 - Client uses TGT to request a service ticket to connect to Server 1.

Step 3 - Client connects to Server 1 and provides both TGT and service ticket.

Step 4 - Server 1 uses the clients TGT to request a service ticket so Server 1 can connect to Server 2 .

Step 5 - Server 1 connects to Server 2 using the client’s credentials.


Specific Example:

Client is running IE7 and connecting to a web server that is using windows authentication. The client machine needs to be a member of the forest or a trusted forest and IE needs to be enabled for integrated windows authentication.

Web server machine name WEB1.mydomain.com and is using a service account, mydomain\webadmin. The webadmin account has SPN registered for both HTTP/WEB1 and HTTP/WEB1.mydomain.com. The webadmin account is enabled for constrained delegation to MSSQLSVC/SQL1.mydomain.com.

The SQL server machine name is SQL1.mydomain.com and is service account for SQL is mydomain\sqladmin. The sqladmin account has SPN’s registered for MSSQLSVC/SQL1.mydomain.com.

In the example configuration above the client is connecting to http://web1 to get access to data that is stored on a backend SQL server named SQL1. The web page hosts the code that retrieves the data from SQL. The user account is used to authenticate to the web server. The web server uses its constrained delegation ability to request a Kerberos ticket on the user’s behalf for connection to SQL1. If we were to audit the connections we would see the users account is being used to access the web page and the data on the SQL server. This is a classic example of Kerberos double hop but we could easily expand the scenario to include more hops. We could theoretically keep expanding the example as long as we enable delegation and retain the correct service principal name registrations.



Constrained vs. General Delegation:

General delegation will allow the first hop server to request Kerberos tickets on the client behalf to any other resource in the forest.

Constrained delegation is not supported by all Kerberos aware applications. The domain functional level must be 2003. It allows the administrator to selectively allow an account to request Kerberos tickets limited to specific services on specific servers. This is a much more secure method of delegating Kerberos delegation. The service accounts and the computer accounts hosting the applications need to be in the same domain. If the service account is a user account the delegation tab maybe missing. Until the account has a service principal name registered for it there will not be a delegation tab and you will not be able to setup constrained delegation.



Protocol Transition:

So far we have assumed the client is using Kerberos. Common scenarios where Kerberos is not used are when the client does not support Kerberos. In these examples the initial authentication to Server 1 can be transitioned into a Kerberos request in order to maintain the client’s credentials when connecting to Server 2.

Samples of method of protocol transition - http://technet2.microsoft.com/windowsserver/en/library/c312ba01-318f-46ca-990e-a597f3c294eb1033.mspx?mfr=true


Troubleshooting and Common Problems:

Setspn.exe will help confirm the service accounts have the proper service principal name registered correctly.


At each stage one of the members requests and receives a Kerberos ticket. These tickets are cached on the client and the front end servers. We can use Klist.exe or Kerbtray.exe to examine our cache. Frequently when there are configuration problems the client will be prompted for credentials and this may mean NTLM is being used instead of Kerberos. NTLM credentials cannot be delegated off the system so authentication to the backup server will be in the form of anonymous authentication.


We can increase Kerberos event logging (KB262177) When kerberos authentication is failing and we have increased the logging level we should see indicators in the system event log for kerberos errors.


A packet capture utility may also be useful in recording the Kerberos requests and responses. Make sure to clear the client cache before enable a utility like Network Monitor. You could filter on Kerberos, use care that Kerberos requests may use the default UDP port 88 or fail over to TCP port 88.



·         Kerberos on IIS, http://support.microsoft.com/kb/326985 , is a good resource that goes discusses using IIS for the front end server.

·         Kerberos on 2000 server clusters, http://support.microsoft.com/kb/235529

·         Kerberos in SQL Server, http://support.microsoft.com/kb/319723

·         Kerberos with network load balancing, http://support.microsoft.com/kb/325608

·         Kerberos with SMS 2003,  http://support.microsoft.com/kb/326985



·         Kerberos RFC - http://www.ietf.org/rfc/rfc1510.txt

·         Microsoft Kerberos Tech Ref - http://technet2.microsoft.com/windowsserver/en/library/b748fb3f-dbf0-4b01-9b22-be14a8b4ae101033.mspx?mfr=true

·         Kerberos Double Hop webcast - http://support.microsoft.com/kb/887682

·         Constrained Delegation -http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/constdel.mspx

·         Protocol Transition - http://technet2.microsoft.com/windowsserver/en/library/4c8b5ac7-368b-45b9-91d7-1ae7c5e0da311033.mspx?mfr=true




No TrackBacks

TrackBack URL: http://www.skar.us/site/mt-tb.cgi/3202

Leave a comment


Author Bio          ★★★★★

Author Name:         ebhakt
Author Location:    India
Author Rank:          Writer
Author Status:        
The Green leave stands!!



  • eBooks
  • Games
  • Softwares
  • Tools
  • Tweaks
  • Wallpapers
  • Warez
  • Games
  • Tools
  • Wallpapers
    System Administration
  • dll Center
  • Scripts
  • Tools
  • .extensions database
  • Write-up
  • Download Database
  • Jobs
  • Lists
  • Polls
  • Glossary

01000011 01110010 01100001 01100011 01101011 01111010 01101000 01100001 01100011 01101011