I have an issue with a webserver and kerberos delegation.
I have 2 websites that run in the same application pool. the application pool runs under the web_user (AD account). The websites both have its own header like web1 and web2 whilst the server has the dns name SERVER1. web1 and web2 are just aliases of SERVER1.
For kerberos to work I registered:
setspn -a http/SERVER1 domain\web_user
setspn -a http/server1.domain domain\web_user
For the webuser I said constraint delegation to an sql server and sharepoint portal server.
Now if I test website1 it works with kerberos. I start kerbtray and I get a ticket to http\server1.
I also check the event log of the server and in the security log I also see my kerberos authentication. on the sql server it's also working.
Website2 also works with kerberos. but at some point website2 has to get data from website1 using a webservice. but then we get an error "The request failed with HTTP status 401: Unauthorized". So i have a kerberos ticket for the application pool and if it has to pass credentials between web1 and web2 is doesnt work.
I have an other setup in our test environment and their the above works but not in production.
any advice ?
please note that I'm a server administrator and not a programmer.