Hello,
Could somebody please help me? I have two IIS servers, and each has only Windows authentication enabled. The first one re-routes some requests to the second one using ARR + a reverse proxy rule using URL Rewrite. I want
1) to be able to use Kerberos to seamlessly authenticate to both of the servers,
2) the servers to be running under different identities.
Is that possible? I know there's Kerberos (un)constrained delegation, but I couldn't get it to work no matter how hard I tried. The ARR server just passes the ticket it receives from the client to the "backend" server, which I assume cannot decrypt it. It is my understanding that the ARR server must first request another ticket prior to actually redirecting the client request.
I was able to set things up (using Kerberos unconstrained delegation) when both servers were using the same identity, which is not possible I'm afraid.
So, am I using the right tool for the job? Is that even possible?
Thank you.