Double hop issue with IIS and SSRS

Question

I'm running into the classic double hop problem with my intranet site that references the SSRS web service. Here is the topology:

Client -> Web Server -> SQL Server (DB and SSRS)

Here is what I have done so far:

• SPNs created for HTTP/webserver - NetBios and FQDN (domain user for the AppPool)
• SPNs for HTTP/sqlserver (domain user running SQL and SSRS)
• SPN for MSSQLSvc/sqlserver (domain user running SSRS)
• Web server and app pool's identity are allowed to delegate in AD
• Client account is allowed to be delegated
• Web server's web app is impersonating the client user and calling the SSRS web service, passing the DefaultNetworkCredentials and setting the ImpersonationLevel to Delegation

I get 401'ed at the SSRS service. If I pass my personal credentials explicitly then everything works so I'm confident that my issue is just with delegating client credentials.

I feel like I've read 20 articles about this and have tried everything with the same results.

Answer 1

I finally fixed it. I was setting the only Windows Authentication provider to Negotiate:Kerberos but if I did that before unchecking kernel mode, IIS Manager would helpfully remove Negotiate:Kerberos from the providers because it was invalid. That left me with no providers and a guaranteed 401 at the middle website.

Once I got Kerberos forced then my Delegation started working and the SSRS web service worked as well.