Kerberos Delegation Failed for Users from a trusted domain

2
votes

I have successfully setup the Kerberos Delegation between a ASP.Net web site and a SQL Server. All the users in the same domain of the IIS application pool account and SQL Server service account can be delegated from the web site to SQL server. Now we have users from a two-way trusted domain try to use the web site, and the following error occurred at the SQL Server side: "Login failed for user 'NT AUTHORITY\ANONYMOUS LOGON'. It means the delegation has failed.

The web site is IIS 6 on Windows 2003.

I checked the user from the trusted domain, and the "userAccountControl" is 512 so delegation is not blocked. In the user IE browser settings, I can the "Local Intranet" has been configured right.

Can someone tell me how I can troubleshoot this issue?

Thanks!

Richard

1
iisdnskerberosdelegationtrusted

1 Answers

0
votes

Maybe this helps you: http://social.technet.microsoft.com/Forums/en-US/sharepoint2010setup/thread/c43260a9-6791-4572-a7f2-1547467d89bb/

Here's the quote (written by SenthilSK)

The Kerberos protocol supports two kinds of delegation, basic (unconstrained) and constrained. Basic Kerberos delegation can cross domain boundaries in a single forest, but cannot cross a forest boundary regardless of trust relationship. Kerberos constrained delegation cannot cross domain or forest boundaries in any scenario. For more details about KCD configuration for your scenario , i could suggest to refer the white paper on Kerberos http://www.microsoft.com/download/en/details.aspx?id=23176