How to access network shared folders from IIS, windows authenticated

There is an intranet site under IIS which has to use the Windows authentication as required by the corporate policy. The web application is an ISAPI extension and it must be able to access files located on shared folders of domain servers as the currently logged in user. That works fine if the site uses Basic authentication, but neither Windows or Digest authenticated users are able to access the network shared folders.
I used the Sysinternals' ProcMon utility and I can see the the w3wp process tryes to access the files being impersonated to the logged in user account.
It fail with the Windows authentication enabled:
Date & Time:	3/16/2018 5:03:22 PM
Event Class:	File System
Operation:	CreateFile
Result:	ACCESS DENIED
Path:	\\Server\Share\Folder\
TID:	9888
Duration:	0.1380666
Desired Access:	Read Data/List Directory, Synchronize
Disposition:	Open
Options:	Directory, Synchronous IO Non-Alert
Attributes:	n/a
ShareMode:	Read, Write, Delete
AllocationSize:	n/a
Impersonating:	DOMAIN\User

Open in new window

But works fine with the Basic authentication:
Date & Time:	3/16/2018 5:05:24 PM
Event Class:	File System
Operation:	CreateFile
Result:	SUCCESS
Path:	\\Server\Share\Folder\
TID:	9888
Duration:	0.0014367
Desired Access:	Read Data/List Directory, Synchronize
Disposition:	Open
Options:	Directory, Synchronous IO Non-Alert, Open For Backup
Attributes:	n/a
ShareMode:	Read, Write, Delete
AllocationSize:	n/a
Impersonating:	DOMAIN\User
OpenResult:	Opened

Open in new window


I saw on an internet forum the following explanation:
When using Windows Auth only an authentication token is passed to the web app. This token will not pass to another machine (double hop) unless there is a trust relationship, which usually involves a Kerberos implementation.
But I don't understand how can the trust relationship could be established and what is a Kerberos implementation.

Please advise.
LVL 19
zc2Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

zc2Author Commented:
This article describes authentication types and their abilities to access network resources.
For Windows authentication, the provider has to be "Negotiate:Kerberos".
The Kerberos based trusted relationship has to be properly configured in the active directory.
Here is some additional information.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Development

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.