Question: Does SSRS 2008 R2 support unconstrained delegation? I know ADFS 2.0 only supports constrained delegation therefore I'm not 100% clear if that is an indication that MS is moving to no longer support unconstrained delegation with their current gen products. Issue: I am having an issue getting unconstrained delegation working. We had it working with SSRS 2005 and now we're upgrading. I've setup successful delegation scenarios in the past with IIS->SQL, SQL->SQL, IIS->SHP, SHP->IIS, etc. I've just started to feel like i've got a grip on it considering I've been able to troubleshoot delegation issues quite quickly. Suddenly SSRS 2008 R2 comes along and it seems to be a game changer. In this case I'm doing SSRS -> SQL and SSRS -> IIS and both scenarios are failing. Configuration: Service Account: Network Service (We had a domain account but thought we'd simplify the configuration with Network Service for now) AD Machine Account: Trust this computer for delegation to any service Report Server SPNs: http/netbiosname, http/netbios.FQDN, http/alias, http/alias.FQDN ("setspn -x" shows me no duplicate SPNs) Report Server / Domain Controller / Backend Servers clocks all synced within a minute Report server in "Local Intranet" for client web browser Client web browser supports Integrated Windows Auth and delegation is working with other servers SSRS Web.Config: Auth mode = Windows & Identity Impersonate = True SSRS RSReportServer.Config: RSWindowsNegotiate & RSWindowsKerberos & RSWindowsNTLM (I have played with just about every combination I can here, knowing NTLM is not what I'm aiming for) - UrlRoot = http://alias/ReportServer Kerberos Logged Events: KDC_ERR_ETYPE_NOTSUPP & KDC_ERR_BADOPTION & KDC_ERR_PREAUTH_REQUIRED Domain Controller: We've upgraded to Windows Server 2008 R2 domain controllers in native mode recently. Resources: Delegation in SSRS 2008 (Quick Article - Focus on top section): http://www.k2underground.com/blogs/blackdoor/archive/2010/01/06/kerberos-delegation-and-windows-server-2008.aspx Delegation in SSRS 2008 (Slightly Deeper Article): http://sql-ution.com/kerberos-delegation-with-reporting-services/ Authentication in SSRS 2008 (MS Article) – Troubleshooting Kerberos : http://msdn.microsoft.com/en-us/library/cc281253.aspx Registering SPNs for SSRS: http://msdn.microsoft.com/en-us/library/cc281382.aspx Configuring an SSRS Service Account: http://msdn.microsoft.com/en-us/library/bb522727.aspx Enable/Disable Kerberos Event Logging: http://support.microsoft.com/kb/262177 Checking SSRS Trace Logs: http://msdn.microsoft.com/en-us/library/ms156500.aspx Matt Poland - Software Architect

I went back to check on the reports and they are working now. Right now we are suspecting that it might be one of those times where getting the SPNs setup correctly doesn't take effect immediately and we had to wait it out. Well...hopefully this post helps get someone else going in the right direction if they have a similar issue. To answer my question: Yes, it appears unconstrained delegation is supported. To pre-empt an anticipated feedback item: Yes, constrained delegation is more secure and ultimately preferred.Matt Poland - Manager of Application Development