I have a pretty standard iis (v8.5) site setup with windows authentication (negotiate) and delegation to another web-service on our network. At first everything works as expected and the users can perform the double hop to the web-service. However, after a few days – up to a week or two, the delegation stops working and users get a 401 from the web-service.
When looking at the kerberos and iis logs I see that the users tries the access the webservice anonymously, hence the 401 status. The kerberos logs at iis server is non-conclusive and sporadic, in fact it seems like don’t get a log entry at all for these requests.
It seems like the passing of credentials to the web-service just stops happening after some time. The first hop still works the users can still access the primary site.
What has me really baffled is that an iisreset resolves the problem and all works as expected for a week or two again.
I haven’t seen anyone with similar issues (but perhaps my google-fu is just not good enough) so any insight on this would be greatly appreciated.