Kerberos Double hop like issue - even when not using Windows Authentication

Question

I have a Web application running under an app pool with Domain account Identity. The Web application is configured for "Anonymous Authentication". The web app connects using integrated security to a SQL server database (running on a different server in the same domain) to which Domain account has proper permissions.

When the users access the web application (ASP.Net Web-Forms app) (through Chrome/ IE) they get the following error Login failed for user NT AUTHORITY\ANONYMOUS LOGON. When the database connection is switched from integrated security to using sql account, the app works.

We also have a angular 4 application that uses a Web API on the same web server running under the same app pool as the ASP.net web forms app. Web Api has no issues connecting to SQL Server using integrated security, and angular app works fine.

A quick google search on the issue brings back a lot of hits that talk about the "Kerberos double-hop" problem, but my first hop (between browser and IIS) does not use windows authentication. How do I go about solving this issue? Any help is sincerely appreciated.

Answer 1

Look at ASP.NET impersonation settings, you likely have to turn this off for this web application. If the web app is using its process account to access the resource, it is not a double-hop, however if it is using the Windows credential from the thread, it is double-hop scenario. There are delegation settings in Active Directory, however if you are not intending to delegate by using the connecting user's credential, you shouldn't need delegation. You want to use the process account.