Social Squared Double Hop Issue

By

I’m writing this post as a response to many support questions that we received of late on Windows Authentication and Social Squared.

 

Social Squared uses a Microsoft SQL server database as the repository for Social Squared user profile information, configuration settings, posts and replies. The Social Squared web part communicates with the SQL server database in order to display the posts within the SharePoint user interface. The reason for this architecture is to provide the performance and scalability that is required of an Enterprise forum solution in large corporations.

 

A common question that we receive is over the authentication and connection string and failure to authenticate. Note: this occurs usually in a production environment and not a development or test environment.

 

The usual culprit for these questions is the double hop issue. As with any technology that uses the NTLM protocol for Windows Authentication, if the SQL server database resides on a separate physical machine to the SharePoint (IIS) server, the passthrough authentication will fail since the windows authentication only works over a single hop. That single hop is the Users machine (Browser) to the SharePoint server. The token cannot be passed a second hop.

 

Note: The reason why it usually fails in production is that in many development environments, SQL is on the same physical machine as SharePoint and therefore the double hop issue does not occur.

 

The Kerberos protocol does not suffer the same double hop issue as NTLM since there will be a trust in place between the SharePoint and SQL machines.

 

Whether you are using Classic or Claims based authentication, the same double hop issue will occur if you are using NTLM as the protocol.

 

Note: This is not an issue specific to Social Squared but an issue associated with windows authentication and the NTLM protocol.

 

Lightning Tools therefore recommend that you use SQL authentication instead of windows authentication if your SQL server is remote to SharePoint and you are using NTLM instead of Kerberos.

 

In order to assist users who still wish to use Windows Authentication, Lightning Tools is developing its Social Squared product to support Secure Store. With Secure Store as a third option for authentication, users of Social Squared will be able to continue to use windows authentication regardless of the protocol and not suffer the double hop.

Brett