We've been having some odd issues trying to get delegation working in a particular scenario. I was just wondering if anyone else has a similar situation - and if so, were you able to get delegation working? And how?
We have three computers: A, the running IE; B, the IIS server; and C, a second web server. All three are running Win2k, so at least in theory we should be able to use Kerberos.
Computer A, from IE, issues an XMLHTTP call to an ASP page on Computer B. Computer B then instantiates a COM+ component, which issues a ServerXMLHTTP call to Computer C.
I've set up the example ASP pages that Microsoft uses in KB 314404 about ServerXMLHTTP and delegation. It seems to acquire a Kerberos ticket for that service - something I can verify using KerbTray.exe - but the connection to Computer C uses NTLM authentication, using the account that the COM+ package runs under. To use Keith Brown's ticket analogy, it gets the ticket for the ride but sneaks on anyways!
When I execute the same code directly from the ASP page instead of from the COM+ component, the credentials are delegated properly. This leads me to believe, obviously, that there's a problem with either the COM+ component itself or its configuration.
The package is running as a Server application under an account that is trusted for delegation. The impersonation level is set to "delegate", and we've tried all authentication levels. We've also tried calling CoImpersonateClient / CoRevertToSelf within the component, to no avail.
I'm stumped - anyone have any insight they can share ??