Double Hop Delegation: Error retrieving for user IIS APPPOOL. The underlying provider failed on Open. Login failed for user 'Domain\WebVM$'. RRS feed

  • Question

  • User-1882553206 posted

    I'm setting up a IIS VM server to access a separate SQL Server VM, both machines running Windows Server 2016 and running on intranet. We're using windows authentication, and attemping to impersonate users through the machine account on IIS VM server machine. We are building / deploying MVC IIS bits using ASP.NET Core.

    I'm hitting the above (machine account login) error after having configured everything I can think of and referred to several postings. I've configured the following main items:

    • Web Site setup with Windows Authentication, and ASP.NET Impersonation enabled, all other auth types disabled.
    • Web Site Config Editor set "system.webServer/security/authentication/windowsAuthentication" : useKernelMode to True
    • App Pool running .NET CLR Version "No Managed Code"
    • App Pool using Classic Managed Pipeline Mode
    • App Pool running as ApplicationPoolIdentity
    • Confirmed HOST SPN registered for IIS VM machine account in AD (with setspn -L IISVMServer)
    • Confirmed HOST SPN registered for SQL Server VM machine account in AD
    • Confirmed ServiceClass/Host:Port registered for SQL Server VM in AD
    • Registered SPN for IIS server machine account "Trust this computer for delegation to any service (Kerberos only)
      • Plan to lock down to constrained delegation after getting unconstrained delegation working
    • Tried running with / without web.config : "system.web identity impersonate="true" /system.web"

    I previously posted http://forums.asp.net/p/2097886/6061062.aspx?Re+Kerberos+Double+Hop+Delegation+with+ASP+NET+Core+4+5+2+ which is indirectly related to this posting.

    thanks, dave

    Thursday, July 7, 2016 1:08 AM

All replies

  • User-693045842 posted

    Perhaps post to IIS Forum may be better :


    Thursday, July 7, 2016 7:45 AM
  • User-2057865890 posted

    Hi Dave,

    Error retrieving for user IIS APPPOOL.

    To fix this issue, try changing the (Process Model) Identity of your website's Application Pool to use the NetworkService account (or the less secure LocalSystem account).

    Best Regards,


    Saturday, July 16, 2016 9:25 AM