Hi
I had the issue described in this thread: https://forums.iis.net/t/1229336.aspx?Delegation+S_PRINCIPAL_UNKNOWN. The thread is now locked so I cannot post the followup there.
In short summary the problem was that Impersonation did not work because the clients did not get succcesful Kerberos logon to the web server. The Kerberos error was S_PRINCIPAL_UNKNOWN, even though I had registred SPN for the service account the application was run under in IIS.
The reason for the error was that my domain name was registered as a CNAME and due to that, IE resolved it to an A record and put the A record name in the kerberos ticket request. Then the ticket request did not match the SPN which was registred for the CNAME.
This was also the diagnostic from Ken Schaefer in that thread as he wrote "you can create a A record for the alias, rather than using a CNAME[...]"
As Ken also noted, it was the issue described here: https://support.microsoft.com/en-us/kb/2309371. However I could not use the hotfix as I was on Windows 8 / Windows server 2012. I have not been able to find any information from Microsoft about how to handle it with that setup.
Microsoft Support advised to change the CNAME to an A record such that there was two A records pointing to the same IP, both the machine name and the alias for my application. However our network team did not want that solution as they believed it could cause other problems. Instead we gave the server an extra IP and registered the alias for the application as an A record pointing to that new IP. This also works.
Ken thanks a lot for the help.
And if anyone from Microsoft reads this: Please make an updated version of https://support.microsoft.com/en-us/kb/2309371 discussing how to solve the issue for newer versions of Windows/Windows Server.