Hello
We have developed a custom SmartObject Service and constructed a couple of SmartObjects on top of it.
Within the SmartObject service, c# Linq-to-SQL code is used to make a connection to a separate SQL Server database that resides on the same SQL Server instance as the K2 database. The connection string used there looks something like this:
Initial Catalog=SomeDatabase;Data Source=K2HostServerK2;Integrated Security=SSPI
When we debug and test our code using the SmartObject Service tester on the K2 Host Server, it works as expected. The code executes in the security context of the K2 Service account, the connection to SQL Server is established and the operations run successfully.
When we debug and test the code using the SmartObject Service tester on another client, the connection to the SQL Server fails. In this scenario, where there is a double-hop (SmartObject Server Tester Client > K2 Host Server > SQL Server), the following Exception is produced:
Debug 28053 Marshalling: OpenWorklist K2:HALLAMSTREETk2svc
Debug 8037 Sending 127.0.0.1:11 Bytes to 10081
Debug 8045 Disconnected From 127.0.0.1:11
Error 10702 An error occurred in the WorklistService service instance. Login f
ailed for user 'NT AUTHORITYANONYMOUS LOGON'.
Debug 10046 SmartObject execution event raised successfully.
And in the SQL Server logs, it is clear that the Security Context under which the code is attempting to establish the SQL Server connection, is not as we would expect:
Message
Login failed for user 'NT AUTHORITYANONYMOUS LOGON'. Reason: Token-based server access validation failed with an infrastructure error. Check for previous errors.
At the moment I am trying to establish definitively whether this problem is caused by a Kerberos issue, or whether there is something else coming in to play.
We have Kerberos Event logging on the destination SQL Server, which reports:
ErrorCode 0xd
ErrorMessage KDC_ERR_BADOPTION
ExtendedError 0xc00000bb KLIN(0)
My research of the above suggests that it is usually associated with failing to specify SPN details for Delegation in Active Directory for the relevant account(s). However, we are not using Constrained Delegation (security is not a big deal in our environment) and we have simply ensured that all of the accounts involved in this scenario can Delegate to ANY service. So that should not be the issue.
I am now looking for some advice as to how to further troubleshoot this issue. I have reviewed our Kerberos configuration over and over again and I am reasonably satisfied that it should be okay, but I am unsure whether I am missing something else and I'm now at something of an impasse
I think the key to this is to understand why, when the Service code attempts to establish the SQL Server connection (which specifies integrated security (;Integrated Security=SSPI) the accepting SQL server nevertheless receives an ANONYMOUS token; bearing in mind that the code itself must be running in the security context of the K2 Service account. I'm assuming this must be a Kerberos issue that is SQL Server specific, and consequently, have investigated the possibility of specifying an SPN in the SQL server connection string, but have been unable to do so as such an option does not seem to be supported by the standard .NET provider.
Any additional thoughts would be gratefully received
thanks
Robert