We are using LsaCallAuthenticationPackage with KERB_RETRIEVE_TKT_REQUEST of type KerbRetrieveEncodedTicketMessage.
We impersonate a Windows identity and then use LsaCallAuthenticationPackage to get the tickets.
We are able to retrieve tickets (tgt and service tickets) when using unconstrained delegation. When we try constrained delegation, the call to LsaCallAuthenticationPackage fails with: LsaStatus 2148074254: A specified logon session does not exist. It may already have been terminated
Our service receives the initial windows identity via Integrated Windows Authentication.
We have checked and rechecked the constrained delegation configuration and the SPNs ... all seem to be fine.
We have observed that with IWA, the WindowsIdentity's impersonation level changes from Delegation to Impersonation as soon as the service account is set to use constrained delegation (this may or may not be related to our problem). We are running a non-IIS hosted WCF web service which receives the identity.
We are wondering if there is some difference in the setup of the KERB_RETRIEVE_TKT_REQUEST that must be done in order to retrieve the tickets when using constrained delegation.
Alternatively, perhaps there is some WCF setup that needs to be done differently.
Thanks,
