I am working on a new “enterprise deployment” of Commerce Server 2007.
I am
having a problem having my web servers on the web tier authenticate with
the
SQL servers on the data tier. I have walked through numerous Kerberos
authentication troubleshooting do***ents and sites. I have created a lot
of
SPNs for host/http/MSSQLSvc using the sql service account and the
‘runtimeuser’ I have enabled unconstrained delegation for service
accounts
and computers. I have turned my firewall into a router – there is no
firewalling at all, I can ping, dtcping, telnet the webserver/domain
controllers/sql servers. I have the website running on the data tier, but
I
cannot seem to get it running on the web tier at all. I was hoping
someone
out there may have used the enterprise deployment template prescribed by
the
Commerce Server do***ent:
http://msdn2.microsoft.com/en-us/library/ms964594.aspx
If not perhaps someone has an environment that accepts anonymous users and
uses a domain service account (yes I tried <identity impersonate=true> as
well) to connect to a Microsoft SQL server on another domain connected
using
a domain trust. Both domains are at Windows 2003 functional level. I
have
enabled audit logging (verified with rsop)and do not even see failure
events
on either the web server or the sql server. I do see 500 errors in the
IIS
log(no user is listed in the log) I have used the kerbtray tool to purge
and
list tickets. I never see any tickets with forwarding or OK as delegate
flags set. All servers involved are at the correct time, in the same time
zone, synchronizing with the same time server.
I would appreciate any help regarding this. Thanks!
