I am configuring Kerberos authentication for an IIS web site, that must use constraint delegation with option "Use Kerberos only" to access an external service. I am using KerberosToken class from WSE 3.0 and instantiate it as
new KerberosToken(kerberosSpn,ImpersonationLevel.Impersonation);
Everything works fine if I select "Use any authentication protocol" on delegation dialog for machine account. However, if I select "Use Kerberos only", I get the following exception while instatiating KerberosToken class:
WSE594: InitializeSecurityContext call failed with the following error message: A specified logon session does not exist. It may already have been terminated.
And the only solution I have found so far is to uncheck "Enable Kernel-mode authentication" on Windows Authentication's Advanced Settings dialog for the web site. If I uncheck it, instantiating KerberosToken works fine and both authentication and delegation work as expected.
However, I have not found any reasonable explanation why it happens. As far as I know, Kernel-mode authentication forces using machine account for encrypting and decrypting Kerberos messages. But my application pool is running under ApplicationPoolIdentity (or NetworkService, which effectively behaves the same), so same machine account will be used for that purpose. I am not sure whether disabling Kernel-mode authentication is the right way to solve my issue.