MOSS + Sharepoint + Forms services + constrained delegation problem

Hi all,

 

I'm facing an authentication delegation issue in MOSS 2007. The setup and problem is described below. If you need any more details feel free to ask.

 

Basically the setup I'm looking at is the following:

MOSS2007 enterprise server = SRV4
Member server with IIS and ASP.NET = SRV3
Domain controller with SQL = SRV2
Client = CLIENT
All systems have been properly configured so that the required SPN's are there and kerberos constrained delegation is enabled. Furthermore all IIS servers and sharepoint have been configured to support integrated authentication. I have verified that authentication is in fact taking place through kerberos, just to make sure NTLM is not in the way.

I've installed a basic webservice on SRV3 which connects to a DB on SRV2 using integrated authentication. All it does it read 1 column from the DB. It is setup properly to impersonate the user who accesses the webservice. When testing the webservice directly from the client everything works fine and I get the results back.

So we move on and create a basic form in infopath which uses the webservice to fill entries in a drop-down box. When I test this form in infopath everything works fine, without asking for authentication so integrated auth works. Next I convert the data connection to a udcx file which I put in a data connection library on SRV4. When testing the form again using infopath it works. So far so good. Now when I publish this form to a sharepoint library and try to open it from CLIENT it does not work and provide me with the well known error "An error occurred accessing a data source".

When I check in the sharepoint logs I get the following:

System.Net.WebException: The remote server returned an error: (401) Unauthorized. ...

When I check the entries in the IIS log on SRV3 I can see the 401, and it does not provide any user authentication. Also when I use a network sniffer to check kerberos traffic I can clearly see that Sharepoint isn't even trying to get a kerberos ticket for the user and the service HTTP/SRV3.

I've also checked out some other possibilities, such as MOSS sso, but to no avail (If I'm not mistaken I wouldn't even need SSO in this scenario since everything is based on kerberos and located inside one domain). At this point I can only come to the conclusion that sharepoint (or forms services) does not attempt to authenticate to the back-end webservice with the users credentials (or any credentials for that matter).

So does anyone have a clue as to what the reason for this issue might be? Are there some settings you should change to make sure SP forms services passes the credentials of the user to the BE webservice...?

I can get everything to work just fine when I define a static user in the webservice to connect to the DB and allow anonymous access to the webservice. However this is not a good base to build an enterprise solution on. Auditing should be available at all levels of the information chain, certainly on the DB level.

Any help would be appreciated,

Regards