kerberos-delegation

We have the infamous Kerberos double hop issue. This is a brand new domain, being migrated from another provider where impersonation and delegation was previously working. We have upgraded OS's and to the latest SQL server (2017). WPF app (using domain creds) -> Web Service (WCF app on IIS 10) -> SQL 2017 (named instance) The web service is running under a domain account. The web service has an spn registered, Anonymous Auth is disabled as is forms auth, ASP.NET Impersonation and Windows Auth is enabled. Providers are "Negotiate and NTLM," "Kernal Mode" is disabled, "Use App Pool credentials"

I am having a hard time to get Runtime Impersonation to work. Scenario: Anonymous access is disabled in all servers, and windows auth is enabled Client calls Web Api 1 Web Api 1 may call Web Api 2, or the oData Service Call from Web Api 1 to Web Api 2 needs to be impersonated with the Client Credentials Calls from Web Api 1 to oData Service must not be impersonated Web Api 1 calls both the service using Web Request We have Kerberos delegation configured properly What Works (Kinda): If I turn on impersonation in Web Api 1 using the Web.config <authentication mode="Windows"/> <identity

I'm using YarnClient to programmatically start a job. The cluster i'm running on has been kerberos-ized. Normal map reduce jobs submitted via "yarn jar examples.jar wordcount..." work. The job i'm trying to submit programmatically, does not. I get this error: 14/09/04 21:14:29 ERROR client.ClientService: Error happened during application submit: Application application_1409863263326_0002 failed 2 times due to AM Container for appattempt_1409863263326_0002_000002 exited with exitCode: -1000 due to: Failed on local exception: java.io.IOException: org.apache.hadoop.security.AccessControlException

The picture bellow shows the architecture that I need to deploy, and it explains my problem. I already designed a sub system that contains a set of applications (web services, web applications) deployed in apache tomcat. To provide the SSO functionality to my sub-system I used the WSO2 Identity Server with SAML2.0 to authenticate users and get access to all sub-system applications. This sub system is destined to be integrated into enterprises environment and work together with enterprise components. Now I need that enterprise users get access to my applications (of sub-system) there is two

I need to support Kerberos constrained delegation for our C++ HTTP server product on Windows using SSPI. For a single process server, the follow workflow can be used and I have a working prototype. 1) Call AcquireCredentialsHandle 2) Call AcceptSecurityContext 3) Call ImpersonateSecurityContext 4) Do delegation 5) Call RevertSecurityContext However, the C++ HTTP server has a master process and a worker process. Both processes run on the same machine and use the same service account, and each client request can come from a different user. The master process can handle SPNEGO and Kerberos