HTTP Endpoint Can't Authenticate

HTTP Endpoint Can't Authenticate

• Carl Brochu MSFT

  I am using AUTHENTICATION = (INTEGRATED). It works perfectly on the same system, just not when accessed from another system even though they are both in the same domain and I am logged into both systems as the same user.
  
  I have built the test systems from scratch twice now to make sure it wasn't some underlying system configuration but no luck so far.
  
  Thank you for your help.
  
  
  
  

• Scythen

  Changing from 'INTEGRATED' to 'NTLM' also help me solving the problem consuming the web service from the remote computer (under the same domain) without using the setspn.
  
  Thank you so much Srik
  
  POP
  
  

  
  

• tsennyuen

  What is the service account for the SQLServer   When using INTEGRATED auth locally it is most likely using NTLM.  When you connect from a remote machine it would try Kerberos.  However if the service account is not local system this won't work.  SQL BOL has a section which talks about this in detail.
  
  One way to workaround it is as follows.  Use the following in your client application to force NTLM. 
  
  

  m1.sql_endpoint proxy = new m1.sql_endpoint(); System.Net.CredentialCache myCreds = new System.Net.CredentialCache(); myCreds.Add(new Uri(proxy.Url), "NTLM", System.Net.CredentialCache.DefaultCredentials.GetCredential(new Uri(proxy.Url), "NTLM")); proxy.Credentials = myCreds;
  
  
  
  
  
  
  
  

  
  
  

• MINATCHY

  Upon investigating this further the problem is most likely due to the following.
  Integrated auth fails when trying to connect remotely because the SPN is registered to local system and sqlserver is running under a different account.  To work around this issue you can do one of the following
  
  - register a SPN for the sqlserver service account as shown below
  - enable only NTLM as an auth option on the endpoint as opposed to INTEGRATED
  
  To register the SPN one would do the following, (from BOL)
  
  

  If an instance of SQL Server is running as a domain user (MyDomain\MySQLAccount) on a computer that is named MySQLHost, the following commands can be used to set the appropriate SPNs:< xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

  	Copy Code
  setspn –A http/MySQLHost MyDomain\MySQLAccount setspn –A http/MySqlHost.Mydomain.Mycorp.com MyDomain\MySQLAccount

  Note that one account can have multiple SPNs (one for each service or host name), but an SPN can be registered under only one account. Having the same SPN registered on multiple accounts causes Kerberos authentication to fail.

  For example, the account MyDomain\MySQLAccount can have the following different SPNs registered on it. The first two commands are for two different services (http and rpc). The last one is for a different host name, assuming the computer has multiple host names.

  	Copy Code
  setspn –A http/MySQLHost MyDomain\MySQLAccount setspn –A rpc/MySQLHost MyDomain\MySQLAccount setspn –A http/MySecondHost MyDomain\MySQLAccount

  
  
  

• Mehmet Atlihan

  What authentication options have you enabled on the endpoint  
  
  Tthe authentication occurs at the HTTP layer using the HTTP challenge/response mechanism.
  
  
  Thanks
  Srik
  
  
• HTTP Endpoint Can't Authenticate