Impersonation not working when using Kerberos

From: John (john_smith_677_at_hotmail.com)
Date: 10/24/05 

Date: 23 Oct 2005 23:21:17 -0700

Hi,

I'm playing with the remoting security sample provided by Microsoft.
It is basically a .NET wrapper around the SSPI functionality in windows
and an extension to the remoting mechanism to take advantage of that
wrapper. It supports the NTLM, Negotiate, and Kerberos packages.

I have a client that makes a call to a server that impersonates the
caller and tries to open a connection to an analysis server. The
client, server, and analysis server are all on the same machine, that
machine is on a domain, and I'm using the Kerberos security package.
The impersonation works but when I try to open the analysis services
connection, I get an authentication error. The analysis server audit
log reveals a connection from a blank username. If I try to open a
connection to a sql server on another machine, I get the anonymous user
can't login error. It seems the credentials aren't getting to the
servers. This is common when you have two hops but in this case there
are only 0 or 1 hops in total. If I switch to the NTLM package, then
everything works.

>>From reading up on Kerberos and using the KerbTray utility, I'm
thinking that the even though the impersonation succeeds, the newly
impersonated identity doesn't have a ticket to the analysis or sql
servers and is unable to get one.

Any suggestions as to what else I can try?

Thanks.

Relevant Pages