Does this meet the goal?

A company has a line-of-business application named App1 that runs on an internal IIS server. App1 uses
a SQL Server 2008 database that is hosted on the same server. You move the database to a dedicated
SQL Server named SQL1.
Users report that they can no longer access the application by using their domain credentials.
You need to ensure that users can access App1.
Solution: You configure Kerberos-constrained delegation and then run the following command from an
administrative command prompt:
setspn-a MSSQLsvc/SQLl:1433 <domain>\\<sql_service>
Does this meet the goal?

A company has a line-of-business application named App1 that runs on an internal IIS server. App1 uses
a SQL Server 2008 database that is hosted on the same server. You move the database to a dedicated
SQL Server named SQL1.
Users report that they can no longer access the application by using their domain credentials.
You need to ensure that users can access App1.
Solution: You configure Kerberos-constrained delegation and then run the following command from an
administrative command prompt:
setspn-a MSSQLsvc/SQLl:1433 <domain>\\<sql_service>
Does this meet the goal?

A.
Yes

B.
No

Explanation:
For a default instance of SQL Server, listening on port 1433, the service principal name (SPN) format is as
follows:
MSSQLSvc/serverxyz.your_domain.com:1433
MSSQLSvc/serverxyz:1433
Kerberos allows the use of delegation where the frontend service (for ex. Web App) can connect to a
remote backend service (for ex. SQL Server) using the identity of the windows user who was
authenticated to the frontend service. The user can authenticate to the frontend service using Kerberos
and then the frontend service can authenticate using Kerberos to a backend service using the identity of
the user.
SQL Server Kerberos and SPN Field Guide
http://blogs.msdn.com/b/sqlupdates/archive/2014/12/05/sql-server-kerberos-and-spn-quickreference.aspx

Show Hint

Leave a Reply 4

Your email address will not be published. Required fields are marked *

Aberdeen Angus

Aberdeen Angus

I’ve never worked with constrained delegation but from a read and a quick test I think the answer is No. Because the question says “you configure Kerberos-constrained delegation and THEN run the following command…” ie setspn.exe.

The SPNs at the IIS and SQL ends must already exist before you set up constrained delegation. At the IIS end you can’t get to the Delegation tab on the computer/user account used by the IIS worker process until its SPN exists. Once you’re in the Delegation tab you can’t select the SQL service unless its SPN already exists.

So I think running setspn is a prerequisite for setting up constrained delegation.

Reply

Rogue

Rogue

Yes and no. First you need to create the certificate that IIS will use for the SPN. You apply that to the IIS site binding, then you allow the delegation in AD for the user/service account that App1 will be using. After you’ve done that you run SETSPN as the last step to create the SPN.

The given answer is correct.

Reply

Aberdeen Angus

Aberdeen Angus

Either the wording of the question is messy and the answer’s Yes, or the wording was intentionally odd and the answer’s No. The question says “You pre-stage the client IMAGES that you plan to deploy”. But prestaging is nothing to do with images, it’s where you create the computer objects in AD before deploying those computers. It provides a way of forcing a particular WDS server to deploy that computer, which sounds needed in this scenario. I’m not sure which I’d go for.

Reply

Wagyu

Wagyu

true.

there is low bandwith and high latency. The image which must be installed, should be available in the local site. We probably need DFS or some other distribution method for this.

My answer would be B – NO.

Reply