Hello gurus.
I have 3 Windows 2008 R2 web servers behind a load balancer that run a PHP application which accesses files on a DFS share. DFS share and web servers are in the same domain, the sites run with the same single domain service account identity and use physical path credentials of the domain service account. Kerberos is set up on the domain service account to delegate to the servers hosting the DFS share. The sites use Windows Authentication but I want to turn off user impersonation for the access to the DFS share and use the domain service account credentials, so useAppPoolCredentials="true" has been added after useKernelMode="true" and on the first 2 web servers this configuration works fine. Procmon shows the DFS share being accessed using the domain service account credentials, netmon and Kerberos logging shows Kerberos authentication working correctly and the application works.
Server 3 is set up with the same configuration but does not work. The application fails due to no permission on the DFS share. Procmon shows the actual logged in user account (which does not have permission) is being impersonated and not the domain service account, to access the DFS share. I have tried everything I can think of including diffing the IIS ApplicationHost.config files between the servers and I can see no differences (hashes aside). If I set the site to anonymous and change the anonymous identity to the domain service account it works, and the domain service account is impersonated to access the DFS share, so Kerberos is working fine on that account from that server. The issue is that as soon as I set it back to Windows authentication, it always impersonates the logged in user and not the service account, regardless of whether the useAppPoolCredentials="true" is present or not . There is no difference in the server builds and I can't see any reason why the impersonation should be acting differently on one server. All other AppPool/IIS config, users/group memberships are identical and nothing is being logged.
Does anyone have any ideas where I can look next please?
Thanks.