Hi all
I have a very simple scenario: web server + back-end server with service
The web server (Application Pool Account) and back-end service both running under AD account. Using standard delegation (SPN records + Delegation tab) everything work fine - I'm able to setup this in any environments.
Now I want to play with Resource-based delegation. From my understanding, I need to add application pool account (DOMAIN\webaccount) to msDS-AllowedToActOnBehalfOfOtherIdentity attribute of the back-end service account (DOMAIN\backendaccount). This done by using PowerShell:
$userWeb = Get-ADUSer webaccount $userService = Get-ADUser backendaccount Set-ADUser $userService -PrincipalsAllowedToDelegateToAccount $userWeb
But this doesn't help. I'm able to logon on web server itself, but from an any another computers I still have an error "The caller was not authenticated by the service."
Any ideas why?
SCSMSolutions
email: freemanru (at) gmail (dot) com