Resolving FNMP remote console double hop issue
SummaryResolving FNMP remote console double hop issue
System.Web.Services.Protocols.SoapException: Server was unable to process request. ---> System.Data.SqlClient.SqlException: Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'.
- Your SQL Server database is on a different server to your FNMP application
- In IIS you have Windows Authentication enabled
- Open a command prompt
- Type "setspn -L FLEXADMIN" and press Enter / Return
- It should have a number of entries for the FNMP server beginning with http:// e.g. http/sesoco1115 sesosco1115
If not then run the commands below in the command prompt
setspn -s http/flexadmin flexadmin
setspn -s http/flexadmin.your_domain.com flexadmin
setspn -s http/flexadmin:80 flexadmin
setspn -s http/flexadmin.your_domain.com:80 flexadmin
If using Windows 2008 R2 then in IIS > Authentication click on Windows Authentication and click 'Edit' on the right hand menu and un-check the option for "Enable Kernal-mode authentication"
The steps in this article apply if your ManageSoftWebServiceDirectoryService application pool in IIS is configured with a machine account e.g. NetworkService, LocalSystem etc. If you use a service account instead then the SPNs should be configured to use the service account instead of the FNMP server name (last part of the http/ SPN).
The MSSQLSvc SPN should be the account that runs the MSSQL service on the database machine - in this article it's again a machine account which is fine if the service runs as LocalSystem - if a specific user account is used then set the MSSQLSvc SPN to that same user account.
If the above steps fail then go to [HKLM\SOFTWARE\Wow6432Node\ManageSoft Corp\Compliance\CurrentVersion] and create a string called "ImpersonateDatabaseConnection" and set it to "False" then enable ASP Impersonation in IIS on the ManageSoftServices site and set the account to your service account. This will stop the users authenticating against the database individually and therefore will stop the double hop issue however they should still be restricted to whatever their roles assign them.