My production environment represents a balanced load (and under heavy load) in a very large corporate Active Directory network. The following has done a lot of testing to finally collapse the settings that work.
- I also run on Windows 2008 Server R2
- My web services are in ASP.NET in IIS. For authentication, I have included "Windows Auth" and "impersonation of ASP.NET". Kernel mode is disabled, and the provider "Negotiate: Kerboros"
- SPNS and Trusted Deletion are configured for the AD account. My AD account looks like sys_myservice (sys_ is just my companyโs naming convention)
- Application Pool Id set to use sys_myservice
- After making all the changes to dev env, restart the entire server. For some odd reason, this is always necessary when we launch new servers and configure them.
With this setting, my web services access SSAS, SQL Server, etc., which use Windows Kerboros authentication, and all queries are executed correctly under user credentials.
The difference in my setup from your system is the impersonation of ASP.NET. At IIS level it is included. I was unable to impersonate the code that you are trying to do. If you get code-level impersonation to work with your workflow, I would be very interested to see how you publish the update.
Forgot to mention. My services are in an MVC application, I apply a global filter to all Action methods to force the application to authenticate all connections.
public static void RegisterGlobalFilters(GlobalFilterCollection filters) { filters.Add(new HandleErrorAttribute()); filters.Add(new System.Web.Mvc.AuthorizeAttribute()); }
and in the web.config system.web section
<authentication mode="Windows" /> <identity impersonate="true" />