Hi,
has anyone tried to set up the Kerberos delegation to access shared folders in a 3-Tier environment? When i try to access a shared folder on another server than the service tier, only the ANONYMOUS account is contacting the service "lanmanserver". I tried to change the service account of the system service "Server" (lanmanserver), but is doesn't start after the change. This service seems to run under the local system account only.
Comments
When the service tier performs file operations it impersonates the user logged into the Role Tailored Client. As soon as the service tier performs a file system operation on another machine (even if it is the client machine which originated the action), a second impersonation of the client is required (this is commonly known as a double hop).
So, even if you only have a two tier installation (SQL & NAV service on one machine, client on another) delegation is required for "off box" file system operations.
Alex