WCF Web Services, IIS, Kerberos, and Delegation problems are maddening!

Sometimes you implement something exactly as you have in the past, but due to some unforeseen circumstance it doesn't work as you expect. We've seen issues like this when implementing WCF web services on IIS 6.

Some things you can check are:

- Have you setup the proper service principal names for the service account running the application pool?
- Is the service account setup to run the application pool that is running the web service trusted for delegation?
- Is the computer account in the Active Directory domain trusted for delegation?

There are many articles floating around the net that give explicit instructions on how to set these items up properly so I'm not going to repeat them here. I'll drop some links after I do some more research.

Our problem was that the user didn't have permissions to the Windows Temp directory - usually on the C drive in the Windows directory. Obviously making the user a member of the Local Administrators group will usually solve most problems, however that solution is not always the most secure.

If you have setup your WCF web service as described by Microsoft documentation and do not want to make the service account a local administrator, make sure to verify the permissions on Windows Temp directory. Some patch or service pack seems to have changed the default permissions on this directory and it can cause headaches.

More links will come later.

Thanks for stopping by.

Flux.