Matt,

Try this:

scenario #4, with reference to #3)

3. A DNS FQDN is configured (not Netbios name of the server) , content web site uses a domain user account as the Application Pool's identity. The difference from #2 above is that instead of supplying NETBIOS_NAME_OF_IIS_SERVER at the end, we need to run:

Setspn -A HTTP/www.myIISPortal.com DOMAIN\USER

Next, you DO need to configure delegation for this domain account, as described in scenario #1.

Last, you DO need to configure constrained delegation from Access Connector machine to the content server. However, there is a difference from #1: you will be using the SPN created for this domain account instead of the machine account: Open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in; On the left pane, click Computer Node, on the right pane, select the server that hosts the Access Connector and open up Properties window; On the Delegation tab. select Trust this computer for delegation to specified services only; Click the Add button. This displays the Add Services dialog box. Click the Users or computers button; In the Select Users or Computers dialog, type in your domain account DOMAIN\USER.You will see all the service principal names configured for the selected user or computer account. select http /www.myIISPortal.com, then click OK.

4. Load balanced environment, in which case there is a virtual host name and several physical host names. All the physical machines must use the same domain account for their application pool. The virtual host name should be used to create the SPN.

Setspn -A HTTP/www.myIISCluster.com domain\username

Then you have to perform the same configuration as described in scenario #3.

On 5/21/07, Matt <mbec...@gmail.com> wrote: