WebSphere Kerberos multi-hop failing

Question

We have a new 3rd party app, IBM WebSphere on Linux with SPNEGO enabled for SSO to our Windows AD. This works as expected, except for one case.

WebSphere calls an existing Windows Web Service that uses pass-through authentication, so the end user credentials are presented to SQL Server. This Windows setup also works.

What doesn't work: WebSphere credentials do not multi-hop to SQL Server

Summary

• Windows Browser -> IIS Web Service -> SQL Server = OK
• Windows Browser -> IIS GUI -> IIS Web Service -> SQL Server = OK
• Windows Browser -> IBM Web Sphere -> IIS Web Service -> SQL Server = Fails at "IIS to SQL" hop

The failure:

• In IIS Web Service, it fails with "Cannot generate SSPI context", incorrect target principal name etc
  
• In the IIS server event log (Kerberos logging enabled)

Error Code: 0x24 KRB_AP_ERR_BADMATCH
Server Realm: XXX.CH.OURDOMAIN.COM
Server Name: MSSQLSvc/oursqlserver.xxx.ch.ourdomain.com:50025
Target Name: MSSQLSvc/oursqlserver.xxx.ch.ourdomain.com:[email protected]

Other info

• IIS Web Service is configured to delegate (unconstrained) and it works from Windows Clients
• IBM WebSphere service account is set for outbound constrained delegation
• End-user SSO works to IBM WebSphere (ergo the Kerberos mechanism etc is OK)
• IBM WebSphere authenticates OK to the IIS Web Service (ditto)
• The SPNs for SQL Server are correct (also validated with the SQL Server Kerberos tool, and sys.dm_exec_connections)
• All steps here done https://www.ibm.com/support/knowledgecenter/en/SSAW57_8.5.5/com.ibm.websphere.nd.doc/ae/tsec_SPNEGO_config.html
• IIS GUI and Web service are on same machine
• All SPNs, keytabs, A2D2 settings etc are OK

What are we missing for that pass-through hop to SQL Server from IBM WebSphere?

Answer 1

It was a very long Kerberos caching. Rebooted the server, fixed it.

The Linux admins had said "No need to reboot: it isn't Windows"