PrepAway - Latest Free Exam Questions & Answers

Does this meet the goal?

A company has a line-of-business application named App1 that runs on an internal IIS server. App1 uses
a SQL Server 2008 database that is hosted on the same server. You move the database to a dedicated
SQL Server named SQL1.
Users report that they can no longer access the application by using their domain credentials.
You need to ensure that users can access App1.
Solution: You configure Kerberos-constrained delegation and then run the following command from an
administrative command prompt:
setspn-a MSSQLsvc/SQLl:1433 <domain>\\<sql_service>
Does this meet the goal?

PrepAway - Latest Free Exam Questions & Answers

A.
Yes

B.
No

Explanation:
For a default instance of SQL Server, listening on port 1433, the service principal name (SPN) format is as
follows:
MSSQLSvc/serverxyz.your_domain.com:1433
MSSQLSvc/serverxyz:1433
Kerberos allows the use of delegation where the frontend service (for ex. Web App) can connect to a
remote backend service (for ex. SQL Server) using the identity of the windows user who was
authenticated to the frontend service. The user can authenticate to the frontend service using Kerberos
and then the frontend service can authenticate using Kerberos to a backend service using the identity of
the user.
SQL Server Kerberos and SPN Field Guide
http://blogs.msdn.com/b/sqlupdates/archive/2014/12/05/sql-server-kerberos-and-spn-quickreference.aspx

2 Comments on “Does this meet the goal?

  1. Aberdeen Angus says:

    I’ve never worked with constrained delegation but from a read and a quick test I think the answer is No. Because the question says “you configure Kerberos-constrained delegation and THEN run the following command…” ie setspn.exe.

    The SPNs at the IIS and SQL ends must already exist before you set up constrained delegation. At the IIS end you can’t get to the Delegation tab on the computer/user account used by the IIS worker process until its SPN exists. Once you’re in the Delegation tab you can’t select the SQL service unless its SPN already exists.

    So I think running setspn is a prerequisite for setting up constrained delegation.




    0



    0
    1. Rogue says:

      Yes and no. First you need to create the certificate that IIS will use for the SPN. You apply that to the IIS site binding, then you allow the delegation in AD for the user/service account that App1 will be using. After you’ve done that you run SETSPN as the last step to create the SPN.

      The given answer is correct.




      0



      0

Leave a Reply