Moving my website to different server changes authentication from Kerberos to NTLM

authentication iis-6 kerberos

What you have is a classic double hop situation. The graphic in the following post is pretty much your exact situation:

http://blogs.technet.com/b/askds/archive/2008/06/13/understanding-kerberos-double-hop.aspx

When both your 'client' and 'service' are on Server1, there is only a 'single hop' to authenticate the user. When you introduced Server2 into the mix, you now have the double hop where authentication is now delegated.

Since you are running your app pools as a domain account, you will need to setup service principal names (SPNs) in order to prevent the double hop. There are resources mentioned in the post above. There is mention of it in this article as well:

http://msdn.microsoft.com/en-us/library/ff649309.aspx

A SPN will need to be created for the specific user account, service, and host name. This needs to be done on the domain controller.

Related

Can't install mysql 5.1 on a windows machine because the last install left artifacts
JSP / Tomcat / Apache setup overview on Fedora Core
Using Active Directory authentication with Samba on Ubuntu 9.10 server 64bit
Preventing logrotate's dateext from overwriting files
Why is Apache/PHP quietly crashing on Windows?
Zimbra: changing postfix parameters
PHP Fatal error: Call to undefined function mysql_pconnect() in
Apache as a proxy for Nexus, Jenkins and Foreman (Several VirtualHosts on same domain, IP and Port)
debian boot hide all messages
550 Invalid HELO/EHLO must contain a FQDN or IPv6
Is there a Nagios plugin that enables you to specify the referrer URL when checking a URL?
Two CNAME records being resolved differently (Windows 2003 Server)