Kerberos issue badoption on double hop

Hi all,

We have an issue with client authentication using Kerberos in a 3 tier environment against a MS-SQL cluster via a WebService server (no IIS or PHP).

I have looked at the behavior with netmon and fiddler. When calling the web application from the web service server, negotiation using Kerberos succeeds. If I try the same from a client, I see a valid ticket issued from KDC1 (Domain Controller 1) to the client. At the same time the WebService server gets a bad ticket with badoption 0xc from KDC2 (Domain Controller 2) in response.

Basically it looks like a missing SPN. However, I have already checked this with Microsoft's SQL Configuration Manager - no errors.

Does anyone have any idea?