We have developed a WebAPI application that runs on IIS 6.2. That API uses Integrated authentication. So, the operations will be executed in the user context of the user that is calling the API.
Apart from that, because some of that operations execute remote actions to another server in the platform. We used constrained delegation (kerberos) to manage the Kerberos double hop and be validated in the remote server as the user calling the API.
We made the configuration changes in the IIS (regarding enabling Windows authentication) and we enabled "Trust this computer for delegation to any service (Kerberos only)" in the AD for the server running the IIS.
The current status is, if we access the API using localhost, everything is working as expected. However, if we access using the FQDN or even 127.0.0.1, it fails with unauthorized when the API call executing the remote operation behind the scenes returns.
Does anyone know what we can fix such configuration issue?
Thanks
Sounds like you did everything right...except didn't or haven't set the SPN properly in AD for the principal (computer/server object) referring to the web service running on the target server. For example, the server name is server1, and the AD and DNS domain name is acme.com. Then the SPN for the server in AD would need to be HTTP/server1.acme.com. Ref: Setting up Kerberos Authentication for a Website in IIS