We've been struggling for a while to get, what I had assumed would be a relatively common scenario to work and would appreciate any pointers.
We have 2 x Windows 2012 Servers running
- IIS Server
- SQL Server 2012
We have kerberos delegation set up and working from IIS server to the SQL Server. Users authenticate to IIS and then these are passed through to SQL Server for any operations that are performed using delegation
Everything works fine with Negotiate (Kerberos then NTLM) set up on IIS and when accessing the site internally but when we try putting the site behind a reverse proxy (Sonicwall SRA), it breaks.
Having done a bit of investigation, it would appear that this is because kerberos authentication doesn't work behind a reverse proxy so we need to switch to basic (as NTLM doesn't work for delegation between IIS and SQL server).
So is best practice in this case to use HTTPS to protect basic authentication or is there a way to get Negotiate (kerberos) working?
It does seem odd that one needs to use Basic because
- Kerberos cannot be used behind a reverse proxy and
- NTLM cant be use to delegate
But maybe thats just the way it is.
0 Answers