Tech Tips, News and Tribal Knowledge

The double-hop issue in SharePoint occurs when IIS attempts to pass the user’s NTLM credentials to a service that is running on a server that is either not part of the requesting server’s farm, or not running directly on the web server. A good example of this is a web part that requests data from a SQL server that is not part of the MOSS farm and that SQL server requires the credentials of the user making the request. This type of authentication request is disallowed in .NET. As NTLM authenticates only the client and not the server, there would be no way for the end user to know if their credentials were passed to a valid service. If Microsoft Windows authentication allowed this, a web server could collect user credentials and pass them around at will. This would be a very poor security model. Fortunately, Kerberos authentication provides a workaround for this, but it requires a little more configuration effort.

Kerberos, while somewhat tricky to configure, will solve the double hop issue as it allows for impersonation and delgation. In addition, it can authenticate both the client and the server. Authenticating both parties of the transaction ensures the requests are directed only to those servers and services the end user trusts. However, this feature is not active by default. You must allow the service accounts running on the web server to use impersonation by activating the trust for delegation settings for both the service account and server in “Active Directory Users and Computers.” A full tutorial on implementing Kerberos in a SharePoint environment is in an upcoming post.