DelegConfig v2 (beta)

re: DelegConfig v2 (beta)

brian-murphy-booth — Tue, 24 Nov 2009 17:38:14 GMT

JeffS,

I actually copied some functionality from NBTSTAT to determine computer names. You provided only alias.company.com as the hostName so DelegConfig essentially does NBTSTAT against that to get the computer name, but failed. So we are left with not knowing the computer name. If alias.company.com is actually a load balancer that could be why. If you are using load balancing, however, you can't use NetworkService as the app pool user. If this is what you think might be happening, then create a "service account", add it to IIS_WPG, and use that instead.

re: DelegConfig v2 (beta)

Jeff S. — Tue, 24 Nov 2009 16:40:00 GMT

Brian, thank you for this tool! I am having an issue, though. I have a Back-End HTTP server that I'm trying to setup. This server uses the NETWORK SERVICE account as the app pool account, but also uses a DNS alias (not the NETBIOS name). I'm getting the message:

"The domain or workstation membership of NETWORK SERVICE (http://alias.company.com$) could not be determined."

I was expecting it to look for NETWORK SERVICE (NETBIOSName$)???

Am I missing something? Thanks!

re: DelegConfig v2 (beta)

Fredrik.E — Wed, 18 Nov 2009 10:00:20 GMT

Hi. Again.

Instead of MSSQLSvc service they customize it 2 MSSQL$PROD02

And your tool recognize that This server can "account can delegate to the following services: " under Trusted For Delegation? and under More information , there it tells me MSSQL$PROD02/FQDN : portnumber. but i dont have the option 2 chose this for testing .

//Regards Fredrik E

re: DelegConfig v2 (beta)

Gijsbert — Tue, 17 Nov 2009 20:35:34 GMT

Hi Brian,

I get a "TokenImpersonationLevel: Impersonation" warning when running report locally. Presume that's because it is running on the IIS server itself. Domain name used is in the local zone. I do need to pass credentials to a backend DC/Ldap server (what's the account this service is using?).

When running report from a remote client in the same domain I get the "Object reference not set to an instance of an object" message. See the stack trace below.

When running from a remote client my application apparently is assigned the null account when accessing the Ldap server on another server/DC using impersonation, generating the "There is no such object on the server" when trying to open a valid Ldap path. When running my application locally at the IIS server, things run fine.

Any hints?

[NullReferenceException: Object reference not set to an instance of an object.]
BBooth.Status.DomainAccountStatus..ctor(Hop hop) in C:\Archive\Code-Custom\ASPX\Sites\DelegConfig.2.0\Core\Status\DomainAccountStatus.cs:21
BBooth.Report.OverallReport.GetDomainAccountStatus() in C:\Archive\Code-Custom\ASPX\Sites\DelegConfig.2.0\Web\Report\OverallReport.ascx.cs:36
BBooth.Report.OverallReport.SetStatus() in C:\Archive\Code-Custom\ASPX\Sites\DelegConfig.2.0\Web\Report\OverallReport.ascx.cs:29
BBooth.Report.OverallReport.Page_Load(Object sender, EventArgs e) in C:\Archive\Code-Custom\ASPX\Sites\DelegConfig.2.0\Web\Report\OverallReport.ascx.cs:21
System.Web.Util.CalliHelper.EventArgFunctionCaller(IntPtr fp, Object o, Object t, EventArgs e) +24
System.Web.Util.CalliEventHandlerDelegateProxy.Callback(Object sender, EventArgs e) +41
System.Web.UI.Control.OnLoad(EventArgs e) +131
System.Web.UI.Control.LoadRecursive() +65
System.Web.UI.Control.LoadRecursive() +190
System.Web.UI.Control.LoadRecursive() +190
System.Web.UI.Control.LoadRecursive() +190
System.Web.UI.Control.LoadRecursive() +190
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +2427

re: DelegConfig v2 (beta)

brian-murphy-booth — Mon, 16 Nov 2009 19:13:43 GMT

Fredrik,

I did not add a way to add a "custom" service type. I've considered that option, but have not taken the time to implement it. What exactly is the service type you're trying to use? If there is a SQL service type that I haven't included I would be happy to add it.

re: DelegConfig v2 (beta)

brian-murphy-booth — Mon, 16 Nov 2009 19:08:25 GMT

Alistair,

A few things there:

1. You shouldn't really be using an IP address for your "host name". Use the virtual *name* instead. With Kerberos we have the "Service Principal Name" which usually should be a "name" versus an IP address. By using an IP address for the host name you're making SPNs a bit less intuitive. It is possible to get Kerberos working with an IP address instead but in some situations it will have less preditable behavior so I think it best to avoid it entirely.

2. When load balancing you cannot use "Network Service" as the service account due to the whole "duplicate SPN" concept. You should change your service account to a domain user.

3. Based on your question I did some more testing of DelegConfig against a load balanced site at my location. I agree the output isn't clear in that situation so I will rework that a bit so people will know right away to move towards a domain user and away from something like Network Service.

re: DelegConfig v2 (beta)

Fredrik.E — Mon, 16 Nov 2009 08:37:10 GMT

I tried to add a sql server as back-end server.

Problem is that i don't know how to put in a custom service name.

The customer is not using standard MSSQLSvc as service name.

I can't add custom Service Name in your tool since its automaticly put MSSQLSvc in front.

Is there a workaround ?

re: DelegConfig v2 (beta)

brian-murphy-booth — Fri, 02 Oct 2009 20:35:39 GMT

"SQL Server Analysis Services" is referred to as "SSAS" which is also available in the drop-down. The OLAP choice is for the older version of OLAP.

re: DelegConfig v2 (beta)

brian-murphy-booth — Mon, 24 Aug 2009 21:15:02 GMT

I do have supporting "custom" (i.e. not in my hardcoded list) service types on my ToDo list. I don't have any particular timeframe for when that will be added though. What is the service type that you need to use? What is the SPN expected to look like?

re: DelegConfig v2 (beta)

brian-murphy-booth — Mon, 24 Aug 2009 18:31:41 GMT

Hmm... That is probably because the TextBox that holds the original response is trying to postBack all the text to support ViewState. And in that postback there are some characters deemed "dangerous". That should be an easy fix. I'll just disable ViewState on that TextBox since I don't think we need to persist that between requests. Thanks for letting me know!

re: DelegConfig v2 (beta)

Kapn.K — Tue, 11 Aug 2009 19:16:48 GMT

I'm using v2 beta. After setting up the backend unc file share, I receive system SYSTEM(server$) is not a domain account and needs to be joined to the domain. My HTTP service cleaned up when I added it but the "UNC" service has complete failures. Any help is greatly appreciated.

re: DelegConfig v2 (beta)

brian-murphy-booth — Fri, 12 Jun 2009 16:59:52 GMT

Thanks. I had added a sessionState section to my web.config with InProc but based on your suggestion have also added the partitionResolverType attribute as well.

re: DelegConfig v2 (beta)

cduden — Fri, 12 Jun 2009 16:39:18 GMT

If you are using this to test delegation within MOSS 2007 you will need to add the following line to your web.config:

Thanks for the tool Brian. I used it for every MOSS deployment I do.

http://blogs.technet.com/askds/archive/2009/04/30/deleconfig-v2-released.aspx

TrackBack — Thu, 30 Apr 2009 22:28:09 GMT