I need your help with a Kerberos double hop issue I have... After reading many posts online on the topic, I still cannot understand what is wrong is my setup. Here is the setup I use:
- Client PC
- Web server hosting a simple ASMX web service
- Web server hosting SharePoint 2013
All servers are trusted for delegation, everyone is on the same domain (no forest) and no load-balancing is used. Each web server uses IIS 7.5 and each app pool is setup with a domain service account.Each service account is trusted for delegation. Important note: both web services are accessed via a DNS entry (HOST records):
- http://mywebservice/ for the middle server
- http://sharepoint/ for the Sharepoint server
I also setup IIS on the web server (Server 1) to use the app pool credentials "useAppPoolCredentials=True" and left the kernel on.
So far, I have the following SPNs setup:
- Server 1: HOST/Server1; HOST/Server1.domain.com; HTTP/mywebserice; HTTP/mywebservice.domain.com
- Server 2: HOST/Server2; HOST/Server2.domain.com
- Service1:
- Service2:
I have tried many permutations betweens the various SPNs with no luck so far :(
At the moment, I can connect to the web service (Server1) using Kerberos, but then "NT AUTHORITY\ANONYMOUS LOGON" is passed to Sharepoint server.
Can anyone help me figure out what is the correct setup?
Thanks for your help.