First of all, not sure which site is best suited for this question be it SO, SF or SU so please feel free to suggest migration!
I have a requirement to constrain delegation between several machines to enable identity impersonation between different services.
Here's the different machines:
Machine1- Has IIS 8.0 with an AppPool running under the local service accountLocal SystemMachine2- Has SQL Server 2008 R2 with SSRS both running under local service accountNetwork ServiceMachine3- Has SQL Server 2008 R2 and mirrors several databases fromMachine2
The app I'm developing needs to be able to impersonate the client identity to enable access to the SQL Server Backend and Reporting Services. There is also a requirement to impersonate the user to enable the app to upload files to a shared network location.
All the machines run under the same domain.
I've sat down with a domain administrator and have enabled Enable this computer for delegation to any service (kerberos only) to all three machines. The reason for this is because I've tried to constrain delegation to certain services to no avail.
I haven't amended any SPN's as my understanding is that SQL Sever will automatically create the required SPN's to do the job.
With my application, I have specified in the web.config file the follow to enable impersonation:
<authentication mode="Windows" />
<identity impersonate="true"/>
IIS has only windows authentication enabled.
The Issue
Delegation appears not to be working at all as when the app is deployed to IIS, authentication issues arise (i.e. 401 errors) when trying to access the SSRS service and when trying to upload a file to the network share.
The Question
Is there anything else that I'm missing / need to check to get delegation working across the machines and which services do I need to enable to allow the above requirements.
Please note I have read many questions surrounding delegation which have not solved my issue.
0 Answers