I've just spent 2 days banging my head against the wall trying to get double-hop Kerberos authentication to work for an application I migrated from IIS 7 to IIS 8. Usually doing this only takes me 1 day of banging my head against the wall.
A long story short, no matter what I did, I could not get IIS to use kerberos until finally on a whim I decided to remove NTLM as an enabled provider for Windows Authentication. My application is now using Kerberos with just "Negotiate" in the list of enabled providers for Windows Authentication. Even changing the order with Negotiate first then NTLM second does not work.
Any ideas what might be going on here? I have my IIS7 server set up with NTLM first and Negotiate second in the providers list and it is working fine using Kerberos.
thanks,
Dan