Double Hop Authentication Issue

(Last updated on February 5, 2021)

Have you ever been plagued with the “double hop” authentication issue? I recently had a customer who had this issue and it took a group effort to get it sorted. First things first, what is the double hop?

It’s actually a common problem that occurs most often when you need to access a resource off of an IIS server, especially if you have IIS Integrated Authentication turned on. So, when you go to the IIS website and authenticate you are using your first hop. If you need to access any other network devices after that you are using your second hop, which under most circumstances is not allowed. In our particular situation, it was when their SQL database for Specops Reporting was on a separate server from their IIS server. So when the website is launched there is a “double hop” for the authentication to occur.

In the example of the Specops Reporting server, you grant access to the reporting information through a local group on the SQL server. But, when you go to access the Reporting website you get an IIS error that says you are not authorized to access the website. That is because of the double hop scenario that I just described above. The following checklist will help you to make sure that you have everything set up correctly to allow the second authentication to pass through:

Make sure the computer account for the IIS server and the SQL server are both trusted for delegation (Kerberos only).

Make sure there is a SPN for MSSQL registered for your SQL server. (SPN is short for Service Principal Name and it is used by client machines to uniquely identify an instance of a service.)

If you run setspn –l servername from a command prompt it will return the SPNs for the server. You will need two entries

MSSQL/servername
MSSQL/servername.yourdomain.com

If they are missing you can create them by running

setspn –A MSSQL/servername
setspn –A MSSQL/ servername.yourdomain.com

If you use a service account for SQL – make sure there are SPNs for that also.

Setspn –l serviceaccountname

If you are missing them you can create them using this command assuming you are using the default SQL port:

setspn -a MSSQLSvc/hostname domainserviceaccountname
setspn -a MSSQLSvc/hostname.domain.com domain/serviceaccountname
setspn -a MSSQLSvc/hostname:1433 domainserviceaccountname
setspn -a MSSQLSvc/hostname.domain.com:1433 domain/serviceaccountname

Make sure you restart your SQL service after you add the SPNs.

Verify that your IIS web sites are a part of Local Intranet Sites in your Internet Explorer security settings.

A double hop authentication is always a tricky one to troubleshoot. Here are a few good references that I found in my research that helped me to gain an understanding of the double hop issue and SPNs.

https://blogs.technet.com/b/askds/archive/2008/06/13/understanding-kerberos-double-hop.aspx

https://msdn.microsoft.com/en-us/library/ms191153.aspx

Tags:

Back to Blog