Login failed for user 'null'. The user is not associated with a trusted SQL Server connection. (NETIQKB71715)

  • Document ID:7771715
  • Creation Date:18-Aug-2009
  • Modified Date:15-Aug-2011
    • Micro Focus Products:
      AppManager

Environment

NetIQ AppManager 7.0.x
NetIQ AppManager 8.0

Situation

Unable to logon to the NetIQ web console.
Error stating 'Login failed for user 'null'. The user is not associated with a trusted SQL Server connection.'
SSPI handshake failed with error code 0x8009030c while establishing a connection with integrated security; the connection has been closed.
Login failed for user 'null'. The user is not associated with a trusted SQL Server connection.
An error is received when the IIS server running the NetIQ Operator Web Console and the SQL Server running the AppManager QDB database reside on different machines.

Resolution

This condition is by Microsoft design and can be resolved by hosting the NetIQ Web Console on the same server that is hosting the Repository.  If installing the IIS server on the SQL server is not an option you can resolve this issue by performing the following steps:

How to setup the NetIQ Web Management Console on a machine other than the QDB database machine under Microsoft IIS6.

Note: This will require changing of Service Principle Names (SPNs) and delegation of both computers and users within Active Directory. Please consult your security team before making any changes listed in this document.

To do this:

  1. Find the NetIQ Web Management Server computer object in Active Directory Users and Computers
  2. Right Click > Choose Properties > Delegation > Trust this computer for delegation of any service.
  3. Once this is done restart the associated computer.
  4. Try to make the connection to the web console. If you authenticate properly then no more steps are needed.

If this does not work then the following steps will need to be taken.  For this next part let?s assume our two computers are named Webcon01 (NetIQ Web Console Computer) and QDB01 (AppManager QDB SQL Server)

On QDB01:

Go to Services > Select properties on the MS SQL Server service > click Log On, and note the account used to run the service.

In our example let?s refer to this account as Mlab\SuperAM (where the domain is Mlab and the username is SuperAM). If this is not running under a service, set this to run under a domain admin account. (This is essential for this configuration and it must be done)

  1. Go to Active Directory Users and Computers on the DC (or mmc snap-in) and find the service account you made note of in the previous step Mlab\SuperAM.
  2. Right Click > Properties > Delegation > Trust this User for delegation of any service.

http://technet.microsoft.com/en-us/library/cc757194.aspx

If this Tab does not appear then this user does not have an spn associated with it.  Follow this Microsoft KB to get the tab to appear:

http://technet.microsoft.com/en-us/library/cc739474.aspx


On Webcon01:

Once this user has been trusted for delegation go to Webcon01 (the IIS computer).

  1. Right click on My Computer -> Manage -> Local Users and Groups -> Right click on IIS_WPG> Choose Add.
  2. Add Mlab\SuperAM (the domain account SQL is running under).
  3. In the IIS snap in on Webcon1 expand Web Sites -> Default Website -> Right click the NetIQ Virtual Directory and choose Properties.
  4. On the virtual directory tab make note of the Application Pool this Website is running under. In most cases it will be under DefaultAppPool.  We will use DefaultAppPool for our example.
  5. Next choose Directory Security -> Authentication and Access Control -> Edit.
  6. Verify that Windows Integrated is the only option checked.
  7. Click Ok.
  8. Click Ok again.
  9. Expand Application Pools -> Right Click DefaultAppPool -> Identity.
  10. Select Configurable, and enter in the username of the account running the SQL server service. In our example this will be Mlab\SuperAM.
  11. Once this is selected, stop and start the DefaultAppPool.

Next we will use the Setspn tool on the domain controller.

The account Mlab\SuperAM (QDB SQL Server Service account) should have the following SPNs associated with it:

  • MSSQLSvc/QDB01.mlab.local:1433
  • MSSQLSvc/QDB01:1433
  • HTTP/webcon01
  • HTTP/webcon01.mlab.local

It is recommended that both the NetBios Name and FQDN are added as SPNs for this account.

In this example we are adding a SPN for both the SQL Server and the Web Console server. In this example webcon01.mlab.local is the FQDN for this computer on the mlab.local domain.

To use the Setspn utility you will need to perform the command in the following manner on the domain controller:

 Setspn ?a MSSQLSvc/QDB01.mlab.local:1433 mlab\SuperAM

Where

  • MSSQLSvc/QDB01.mlab.local:1433 is the SPN to be added.
  • Mlab\SuperAM is the account to add this SPN to.

Do this for each of the listed SPN's to bind them to the mlab\SuperAM account.  Once completed run the following command to verify the SPNs have been added.

Setspn ?l mlab\SuperAM

How to setup the NetIQ Web Console on a machine other than the QDB database machine under Microsoft IIS7.

Note: This will require changing of Service Principle Names (SPNs) and delegation of both computers and users within Active Directory. Please consult your security team before making any changes listed in this document.

To do this:

  1. Find the NetIQ Web Management Server computer object in Active Directory Users and Computers
  2. Right Click > Choose Properties > Delegation > Trust this computer for delegation of any service.
  3. Once this is done restart the associated computer.
  4. Try to make the connection to the Web Console. If you authenticate properly then no more steps are needed.

If this does not work then the following steps will need to be taken. 
For this next part let?s assume our two computers are named Webcon01 (NetIQ Web Console Computer) and QDB01 (AppManager QDB SQL Server)

On QDB01:

Go to Services > Select properties on the MS SQL Server service > click Log On, and note the account used to run the service.

In our example let?s refer to this account as Mlab\SuperAM (where the domain is Mlab and the username is SuperAM). If this is not running under a service, set this to run under a domain admin account. (This is essential for this configuration and it must be done)

  1. Go to Active Directory Users and Computers on the DC (or mmc snap-in) and find the service account you made note of in the previous step Mlab\SuperAM.
  2. Right Click > Properties > Delegation > Trust this User for delegation of any service.

http://technet.microsoft.com/en-us/library/cc757194.aspx

If this Tab does not appear then this user does not have an SPN associated with it.  Follow this Microsoft KB to get the tab to appear:

http://technet.microsoft.com/en-us/library/cc739474.aspx

 

On Webcon01

We need to configure IIS7 to use Kernel Mode Authentication. To do this perform the following:

  1. Open Internet Information Services (IIS) Manager
  2. Expand Webcon01
  3. Expand Sites
  4. Expand Default Web Site
  5. Click NetIQ
  6. Click Authentication
  7. Select Windows Authentication and select Advanced Settings (If Windows Authentication is not present please add it via the Windows 2008 Server Manager)
  8. Check the box for Kernel Mode Authentication. Click Ok.
  9. Disable Anonymous Authentication
  10. Restart IIS

Next we will use the Setspn tool on the domain controller.

The account Mlab\SuperAM (QDB SQL Server Service account) should have the following SPNs associated with it:

  • MSSQLSvc/QDB01.mlab.local:1433
  • MSSQLSvc/QDB01:1433
  • HTTP/webcon01
  • HTTP/webcon01.mlab.local

It is recommended that both the NetBios Name and FQDN are added as SPNs for this account.

In this example we are adding a SPN for both the SQL Server and the Web Console server. In this example webcon01.mlab.local is the FQDN for this computer on the mlab.local domain.

To use the Setspn utility you will need to perform the command in the following manner on the domain controller:

 Setspn ?a MSSQLSvc/QDB01.mlab.local:1433 mlab\SuperAM

Where

  • MSSQLSvc/QDB01.mlab.local:1433 is the spn to be added.
  • Mlab\SuperAM is the account to add this spn to.

Do this for each of the listed SPN's to bind them to the mlab\SuperAM account.  Once completed run the following command to verify the SPNs have been added.

Setspn ?l mlab\SuperAM

For additional uses of Setspn refer to the following Microsoft doc. http://technet.microsoft.com/en-us/library/cc773257.aspx

Once this has been completed restart the IIS machine again.  Try to logon to the webconsole on Webcon01 from a remote machine and validate if you can successfully logon to the webconsole.

If the steps taken still do not work Microsoft makes a tool that will be able to tell if there are any conflicts or duplicate SPNs exist that could be preventing this configuration from working. It can be found at http://blogs.iis.net/bretb/archive/2008/03/27/How-to-Use-DelegConfig.aspx
For IIS7 the tool can be found at: http://www.iis.net/community/default.aspx?tabid=34&g=6&i=1887

Cause

The above error message is a result of kerberos authentication issues between the IIS server and the SQL server.  This condition is also referred to as double hop.

Additional Information

Formerly known as NETIQKB71715

For additional information see the following link:

http://blogs.technet.com/taraj/archive/2009/01/29/checklist-for-double-hop-issues-iis-and-sql-server.aspx