I have a typical double hop scenario, User ->IIS->SQL.
I am using IIS 7.5, which is using Kernal Model Authentication, so I am setting up the IIS server account for delegation.
If I set this to "Trust this computer for delegation to any service"
Then it works fine. However, I would like to use constrained delegation to work. I have setup SPN's for the SQL server (for both SQLServer and SQLServer.domain.com) and tested the setup using DelegConfig, which says it is fine, but it does not work.
Does anyone know of a way to see what SPN is being used when I run this with Unconstrained delegation, so I can set this up for constrained? Or any other solutions?
I would enable Kerberos logging on the IIS machine. This surfaces a lot of helpful information, including SPN's and related errors. Takes effect without a restart on Windows Server 2008.
NetMon may also show SPN's.
Are the IIS and SQL servers in the same AD Domain?
Can you post the SPNs you set for SQL? Have you confirmed they're set on the computer account (if SQL is running as Network Service/Local System) or the service account otherwise?