Solved - Another Double-Hop problem...but its setup right.

Hey everyone!

So I've got double-hop issue that I can't seem to shake loose. I've ran web farms before using double-hop kerberos authentication and always was able to deploy them without issue. It's pretty straight forward for me but this time, I can't seem to get it. No matter what I do. At this point, I'm throwing stuff at the wall hoping it works but I'm reaching a point of diminishing returns.

Here's the config... rather straightforward:

Web Server

• Host Name: mywebserver.contoso.local
• AppPool Username: contoso.local\myapppooluser
• Basic Settings
  • Physical Path: \\myfileserver.contoso.local\WebSite
  • Connect as...: Application user (pass-through authentication)
• Authentication
  • ASP.Net Impersonation: Enabled
  • Windows Authentication: Enabled
    • Advanced Settings
      • Extended Protection: Off
      • Enable Kernel-mode authentication: True
    • Providers
      • Negotiate
  • system.webServer/security/authentication/windowsAuthentication
    • useKernelMode: True
    • useAppPoolCredentials: True

AppPool User

• Username: contoso.local\myapppooluser
• SPNs
  • HTTP/mywebsite.contoso.com
  • HTTP/mywebserver.contoso.local
  • HTTP/mywebserver
• Delegation
  • Trust this user for delegation to the specified services only
    • Use Kerberos only
      • CIFS/myfileserver.contoso.local
      • HOST/myfileserver.contoso.local (added during troubleshooting)

File Server

• Host Name: myfileserver.contoso.local
• Share Permissions
  • Everyone : Full Control
• NTFS Permissions
  • Everyone : Full Control (this is just for testing. This will change to the appropriate permissions in production)
• SPNs
  • CIFS/myfileserver.contoso.local
  • CIFS/myfileserver
  • HOST/myfileserver.contoso.local
  • HOST/myfileserver
  • (other default SPNs [TERMSRV, WSMAN, etc])

I've gone over this a hundred times a hundred different ways. I've tried with and without Kernel Mode. I've tried "Use Kerberos Only" and "Use any authentication protocol". 

Double-hops are pretty straightforward I thought.

• Use service account for AppPool.
• Assign SPN's to service account.
• Tell IIS to use App Pool service account.
• Delegate authentication to next hop SPNs to service account.
• Done.

Does anyone have any thoughts? I've got NetMon installed on everything, Fiddler installed on the client, and Kerberos Logging enabled on all machines so I can provide info rapidly.