Double-hop: ASP.Net developers beware
The following is a repost from my old SharePoint blog: http://vspug.com/kwanl/2007/01/23/double-hop-asp-net-developers-beware/
I’ve been doing web development on ASP.Net for some time now (3 years) and have only really recently run into this issue of a “double-hop”. A double-hop occurs when you are using Windows Integrated Authentication and make a call that needs credentials on another server.
The first hop is between the client and the first server which is most likely IIS. If you have a web application (or web part) on that first IIS server that needs to call web service on another server that needs credentials, unless you configure kerberos for constrained delegation, it will fail.
The problem is that your credentials can’t be passed on the the second server because with Windows Authentication your password is never sent to the first server (only a hash of it is).
I ran into this problem while working on a Reporting Services 2005 (SSRS) web part which calls the SSRS web services. There are several solutions I’ve read about:
1. Use basic authentication (with SSL of course)
2. Use kerberos with constrained configuration (haven’t had success with this)