Those of you who work with ASP.NET and IIS’s Integrated Authentication feature may also be familiar with impersonation. Impersonation allows the thread processing the ASP.NET request to operate on the local server as the user who has been authenticated. This sounds really great, and there are some nice advantages to this situation, but the problem is that this user impersonation does not continue if you connect to additional servers. So this means that you can’t give the end user’s account access to a separate SQL Server box, and expect that the impersonation will allow the ASP.NET code to access the database.
Those of you familiar with what’s happening with Kerberos under the hood will probably not need a lot of discussion on the topic, but for those where this is a new problem, here is a good MSDN blog post about the topic discussing the problem and implications.