Double Hop Issue

Question

I am trying to solve double hop issue in my application. We need to have webserver ITSXXXXXXX trusted for delegation to the SQL Server machine ITXXXXXXX. I followed this article https://blogs.msdn.microsoft.com/chiranth/2014/04/17/setting-up-kerberos-authentication-for-a-website-in-iis/ (point 9-12) to solve the issue. What we did, was to select "Trust this computer for delegation to any service (Kerberos Only)" and this worked. But now I have got notification from my N/W team that it's not secure and I must select "Trust this computer for delegation to specified service only". My question is what are the list of services that I need to specify for my application to work the same way it was working when I selected "Trust this computer for delegation to any service (Kerberos only)" option?

EDIT- I am able to resolve the issue with below Delegation settings but the problem is I need to select "Use any authentication protocol" option in the delegation tab while I have made the configurations on the IIS and web.config for using Kerberos authentication (steps mentioned in the article). Please help if anyone knows how to resolve this issue.

Answer 1

Specify the MSSQLSVC service principal (SPN) in the list of services on the AD account which is being trusted for delegation. The below article explains how to do it and provides a lot of troubleshooting points. Depending on your setup, you might have to specify the HTTP SPN in that list of services as well.

SQL Server Kerberos and SPN Quick Reference