I have an IIS web-application with Windows authentication and impersonation. This application connects to SQL server. In this case Kerberos works fine.
But there is a problem. Web-application runs windows application (COM), which also connects to the SQL server. Windows application runs with IIS app user credentials and impersonates current site user to connect to SQL server.
scheme: http://i.stack.imgur.com/2cgv7.png
When delegation for IIS user is set to "Trust this computer for delegation to any service" everything works fine. But I can't use this type of delegation according to security requirements.
When I set delegation to "Specific services" and choose MSSQLSvc SPN, connection from windows application fails with "ANONIMOUS" fault. WireShark shows "KRB5KDC_ERR_BADOPTION" packet.
What I'm doing wrong?
