I'm setting up an website which uses Windows Integrated Authentication. For the website we registered an DNS name with an A-record in the DNS.
We want to use HTTPS and not HTTP.
We have added the URL to the local intranet zone in the domain via a group policy.
For the webserver we created an service account (domain user) and configured:
"Trust for delegation to any services (Kerberos only)"
and we registered an SPN record. For example: HTTP/mywebite.test..company.nl
The SQL Server is runing with an service account and we registered also the appropriate SPN's for this server.
We checked the SPN records via the Microsoft Kerberos Validation Tool and it shows that everything is right configured.
Because the application pool is running under the service account that we created, we enabled via the configuration the option UseAppPoolCredentials.
When we browse to the website on the server then we can see that everything is normal and the website is working correctly.
But when we launch the website from on Windows 10 client via Internet Explorer we can logon to the website but when the website contacts SQL server we still get an error "Login failed for: 'NT AUTHORITY\ANONYMOUS LOGON'".
So it seems that the double hop isn't still working.
1) Is it necessary to register an SPN for the HTTPS connection like: HTTPS/mywebsite.test.company.nl?
2) Is it necessary to include the https default portnumber in the SPN record?
This is not the first time that I configured an website that uses Windows Integrated Authentication and also in a situation where a loadbalaner is involded. But now we can't find the issue. We checked everything that we normally also check and we can't find the root cause of this problem.
Anybody an idea where to search?