Hi all,
I'm doing some Kerberos delegation testing for an upcoming project. So far I have found
1) If I use the default app pool, with a servername and delegation enabled on the source computer object, all is good
2) If I use the default app pool, with an internal DNS alias, add an SPN to the computer object and delegation enabled on the source computer object, all is good
3) If I use the default app pool, with a random non-internal DNS alias (and appropriate host entries), add an SPN to the computer object and delegation enabled on the source computer object, all is good
As soon as I try and use a domain account for the application pool, i:
1) Create the domain account and set it to allow delegation for any service
2) Create and new app pool and allocate the new account to this app pool
3) Remove the SPN's from the computer object and add them to the user account
4) Set "UseAppPoolCredentials" to true and "Use Kernel mode" to false
4a) I then get 500.24 Internal server error - An ASP.Net setting has been detected that does not apply in integrated managed pipeline mode.
5) If I set "UseAppPoolCredentials" to false, I can get to the first page, but delegation to the 2nd page does not work
If I change the app pool pipeline to use classic mode - I am prompted for authentication, but my credentials (any credentials) don't work.
If I set <validationvalidateIntegratedModeConfiguration="false"/> in the web.config, this also does not appear to help
I have read the following articles - along with many other forums posts which seem to revolve around the same thing - but none of these solutions have worked - as yet.
http://support.microsoft.com/kb/929650
So Im a bit lost. The servers in the environment are all 2012 R2 and the forest and domain functional levels are 2012 R2.