Hi everyone,
I am experiencing a strange intermittent issue with Kerberos authentication, between our SQL server and web application.
Some background:
- One Windows 2012 R2 server running IIS 8.5. This machine is running on VMware ESXi 5.5.
- One Windows 2012 R2 server running SQL Server 2012 Std 11.0.6537. This is a physical machine.
- Windows authentication is used.
- Using Kerberos Constrained Delegation for forwarding user credentials to the SQL back-end.
- SQL Server runs under its own domain service account, as is the AppPool running the web application.
- All SPNs are in place and checked.
- A and PTR records in place for the web application. Let's call the URL mywebapp.domain.com for now, and the server running IIS myiisserver.
- Wildcard certificate is used for https binding.
- So, we have a two-hop Kerberos setup.
Basically, what happens is that when I access the application through http://mywebapp.domain.com, everything works flawlessly and keeps working flawlessly. Authentication works fine, no problems whatsoever.
However, when I change the binding to https and assign the wildcard certificate, the web application works for some time, and then starts to fail: Unable to authenticate. The credentials are not delegated correctly to the SQL server.
The SQL server shows the infamous "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON"error, Error: 18456, Severity: 14, State: 5. In the system log of the IIS server, these entries pop up:
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc0000272 KLIN(0)
I haven't been able to determine any pattern as to after how long the failure crops up. It can be between 20 minutes and 2 hours. What I do notice is that delegation starts working again after 15 minutes. And then it is waiting for the next failure.
When I switch back to http, everything is fine.
I have done a lot of searching, Googling and whatever. I have no clue as to what is causing this odd behavior. Some people mention TCP/IP autotuning as a possible cause, but that seems to be on Windows 7 and 2008 R2 only.
Any of you have ideas what might be causing this? Any thoughts or ideas are much appreciated.
Thanks,
Erwin G.