I want to show a list of files in the browser of the user. This list is generated by an IIS7 ASP.NET web application.
My scenario:
Client
=> App Server => File Server
Windows 7 Windows Server 2008 R2
Windows Server 2003
IE8 IIS7 (ASP.NET)
File Share
Impersonation is active on the web app on the app server.
The app pool of the web app is running under the identity "NetworkService".
The app server has the AD setting "Trust this computer for delegation to any service (Kerberos only)"
Following SPNs are defined on the app server:
HTTP/appserver01
HTTP/appserver01.customer01.net
WSMAN/appserver01
WSMAN/appserver01.customer01.net
TERMSRV/appserver01
TERMSRV/appserver01.customer01.net
RestrictedKrbHost/appserver01
RestrictedKrbHost/appserver01.customer01.net
HOST/appserver01
HOST/appserver01.customer01.net
If I open the web application in IE directly on the app server everything works.
But if a user browses the application, he gets the error "Access to the path '\\fileserver01\folder01$\subfolder\' is denied."
The same user has no problems to access the folder in Windows Explorer and to open files in it.
That's why I think I have a double hop/delegation problem.
Because I have no domain admin rights (I am a developer), I investigated with the Active Directory Explorer the AD users settings.
The userAccountControl shows the value 512 what means, that the windows user is only a "Normal Account" and has not the default setting "Trusted for delegation".
Is this my problem?
