Kerberos double hop issue with ASP.NET web application to sharepoint

Question

I need your help with a Kerberos double hop issue I have... After reading many posts online on the topic, I still cannot understand what is wrong is my setup. Here is the setup I use:

• Client PC
• Web server hosting a simple ASMX web service
• Web server hosting SharePoint 2013

see diagram

All servers are trusted for delegation, everyone is on the same domain (no forest) and no load-balancing is used. Each web server uses IIS 7.5 and each app pool is setup with a domain service account.Each service account is trusted for delegation. Important note: both web services are accessed via a DNS entry (HOST records):

• http://mywebservice/ for the middle server
• http://sharepoint/ for the Sharepoint server

I also setup IIS on the web server (Server 1) to use the app pool credentials "useAppPoolCredentials=True" and left the kernel on.

So far, I have the following SPNs setup:

• Server 1: HOST/Server1; HOST/Server1.domain.com; HTTP/mywebserice; HTTP/mywebservice.domain.com
• Server 2: HOST/Server2; HOST/Server2.domain.com
• Service1:
• Service2:

I have tried many permutations betweens the various SPNs with no luck so far :(

At the moment, I can connect to the web service (Server1) using Kerberos, but then "NT AUTHORITY\ANONYMOUS LOGON" is passed to Sharepoint server.

Can anyone help me figure out what is the correct setup?

Thanks for your help.

Answer 1

I finally managed to get it working. To do so, I used DelegConfig web app (by brian-murphy-booth) available here. It confirmed that my setup was initially incorrect and helped me identify what needed changing.

Here is my final setup - see diagram:

• Web service server: Only SPN for HOTS/Server1 + Trusted for Kerberos delegation
• Sharepoint server: Only SPN for HOST/Server2 + Trusted for Kerberos delegation
• Service account 1 (for web service app pool): Added SPN for HTTP/mywebservice
• Service account 2 (for sharepoint app pool): Added SPN for HTTP/sharepoint

Few things you have to be careful with here:

1. If you are using DNS entries, register the SPNs against the DNS name, not the IP
2. Make sure your DNS entries are records of type "HOST (A)" and not "CNAME"
3. Always register SPNs against the simple name (i.e. HTTP/sharepoint) and the FQDN (i.e. HTTP/sharepoint.domain.com)
4. Leave some time for the AD changes to be replicated to all Domain controllers (if applicable) - That was my downfall!! I was too quick to test after an change and it never worked... Waiting 15-20 minutes after a change helped me fine tune my setup and understand exactly what was wrong
5. Make sure you have no SPNs in duplicate! To check, open an command prompt and run the command "setspn -x". It will list all duplicate SPNs in your AD.

I know there are many posts out there about this topic, but none of them actually describe in one diagram the ideal setup for a given configuration. So I thought I would post this answer to my own question; hoping it will help somebody with this nightmare of Kerberos double hop issue.

Thanks a lot to brian-murphy-booth for his wonderful tool! If you read this, you are my saviour mate!