We are successfully running or corporate Intranet using PHP under IIS 7.5 on Win Server 2008 R2. We used Web Platform Installer to setup PHP. Impersonation worked right from the start but delegation was not configured.
It is my understanding that "impersonation", sometimes called single hop, takes the access token from the client workstation and uses it to run the script on the web server, ie the first hop. The rub comes when the app wants to read/write files on a network file share. It is my further understanding "delegation", sometimes called "double hop" takes the same access token and passes it to the web server (the second hop) for use in accessing the remote files. Delegation is not working. I have read in many places that delegation is what I need but can not find instructions on how to enable it in IIS 7.5.
Delegation works in different ways depending on if you run workgroup/domain and local/domain accounts or certificates. I assume you run a domain and want to use kerberos delegation.
If you do you have to enable the account your application is running under to be "trusted for delegation" in Active Directory (open ADUC (or ADAC if you run server 2012), navigate to the account -> properties -> delegation tab and enable full or contrained delegation).
Only domain accounts with a registered SPN can be trusted for delegation. Built-in computer accounts get SPN:s registered by default, but if you use a regular user account you have to register a SPN for your webapplication and account before you can enable it to be trusted for delegation (the Delegation tab won't show on accounts that lack registered SPN:s).
How to set SPN:s http://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx
Change the application account from the default virtual account IIS creates "IIS AppPool\applicationName" to NetworkService (if you decided to use the computer account) or the newly created user account (if you go that path).
Make sure your application is configured to use Windows Authentication. Windows Authentication uses NTLM or Kerberos, only Kerberos supports delegation, hence you have to have a SPN, otherwise NTLM will be used for authentication and it won't work.