I have a production server, which I'll call CONTOSO\MachineA, running SQL Server. I have a development server, which I'll call CONTOSO\MachineB, running IIS. Both servers are running Windows Server 2008. I have a domain user, which I'll call CONTOSO\MyAppSvc. I have two CNAME records, myapp => MachineA and myappdev => MachineB.
My goal is to have (intranet) clients connect to IIS on MachineB and authentication via windows authentication, and then for the app to impersonate them and connect to SQL on MachineA as themselves.
MachineB is running another instance of SQL Server, for testing, and I have verified that SQL is set up right for double hop auth by running SELECT * FROM [MachineA].[My App DB].App.SomeTable via SSMS (on MyWorkstation) => SQL Server (on MachineB) => SQL Server (on Machine A).
MyApp on IIS on MachineB is set up with Impersonation and Windows Authentication (Negotiate only) and running in MyAppPool which is running as MyAppSvc. system.webServer/ security/ authentication/ windowsAuthentication @useAppPoolCredentials is true and @useKernelMode is false. MachineB and MyAppSvc are both trusted for unconstrainted delegation. There are two SPNs on MyAppSvc: HTTP/myapp and HTTP/myapp.contoso.local.
Using wireshark, I see the following when I try to browse http://myapp/aPage:
- MyWorkstation => MachineB
- GET /aPage
- Host: myapp
- MachineB => MyWorkstation
- 401 Unauthorized
- WWW-Authenticate: Negotiate
- MyWorkstation => MachineB
- GET /aPage
- Host: myapp
- Authorization: ticket:
- realm: CONTOSO.LOCAL
- sname: HTTP/MachineB.Contoso.local
- MachineB => MyWorkstation
- 401 Unauthorized
- WWW-Authenticate:
- error-code: ERR-MODIFIED
- realm: CONTOSO.LOCAL
- sname: MyAppSvc
