Hi
The I am now trying to setup an asp.net application that uses delegation in our test/prod environments. With great help(https://forums.iis.net/t/1228796.aspx?Delegation) I made it work on my local dev machine.
However I cant make it work in the test environment. In this environment the application has to share IIS with a number of other applications and is therefore accessed via an alias. I have then added bindings from that to my application in IIS.
This works fine, but the delegation does not work. I have found out that the issue is that the browser uses NTLM and not kerberos when authenticating to the website. This is because the browser triggers a kerberos ticket request on the client but AD answers with S_PRINCIPAL_UNKNOWN and then the browser makes fallback to NTLM.
I have run these commands:
Setspn -S HTTP/FQDN_OF_IIS_SERVER domain\iisserviceaccountname
Setspn -S HTTP/ALIAS_OF_IIS_SERVER domain\iisserviceaccountname
A few things confuses me a bit:
* The TGS ticket request contains the machine name and not the alias for the web server. I guess that is because IE resolves the alias before triggering the ticket request. I guess that is OK?
* The TGS ticket request does not contain the IIS service account name. Does that mean that it looks for the registrations I made above with setspn or are we not at that point yet? If not, does it then just look for the machine account for FQDN_OF_IIS_SERVER? In any case I dont understand why it cannot find the principal. If it looks for the registrations I made, then they are there, if it looks for the machine account, then the HOST spn is registred for that.
I hope someone can shed some light on what is going on.