Delegation, Delegation, Delegation, Delegation

If I had a buck for every time someone came to me with a problem accessing their SQL Server from a website (in Windows authentication mode, not SQL authentication, naturally), I'd have about four bucks. That's good, because I'm not meant to be the go-to guy for SQL Server access from IIS instances.

If I then had a buck for every time the answer was "Kerberos Delegation", I'd probably have about, oh, twelve bucks. I'm nosey and invade other people's conversations. At least eight of those should have paid up.

Darwin (who works in the sneaky Developer Tools Support section of the local GTSC (splitters!)) started (and stopped) blogging last month, but covered much about delegation in his brief time in this universe.

There's also a nice, concise MSDN Mag article on it by Keith Brown.

My $0.02: it's almost always a duplicate SPN (nb: the article covers computer accounts, but it works just as well on users), especially if you've done everything right, and still can't get it working, and someone else was trying it before you showed up. SPNs have to be unique within the forest. And they need to be applied to the security principal doing the decoding of the Kerberos ticket (like the web application process identity).