- SharePoint 2007
- SQL Server 2005
The key tool is setspn and that is an optional download which is gui-only and has no protection for the user.
The documentation is generally unclear and there is a lot of erroneous information out there. Some of the functionality required is only visible to some of the domian admins – so that if you don’t have this right then you have no way of knowing what to ask for.
Kerberos is what you need to use to solve the “two hop problem”. This happens when a service that is called by a client needs to impersonate the client to another service. NTLM will simply fail to authenticate and the call is made as the annonymous user.
The process of getting Kerberos to work is actually quite simple once you understand a few details.
The concept is that you must have a chain of trust running from the server all the way back to the client.
The client needs to be using Kerberos.
The server needs to be using Kerberos.
The identity of the process running on the server needs to be trusted for delegation if it wants to call another server.
You need to set up a SPN for the called server.