How should IIS 7 with Kerberos for a connection to an Oracle database be configured?
We have a Web application which uses Oracle as the back end, and an ASP.Net MVC application running on IIS 7. When we run the application over NTLM with a user hard coded for the connection, we are able to access our Oracle database without a problem. Our connection to oracle uses the account of the Windows user accessing the Web site, so we are not using connection pooling, nor a specific Oracle user for our connections.
We have configured Kerberos on Oracle, and we have no problem connecting from the Web server to Oracle using SQL Plus with an authenticated user. So we are pretty sure our configuration of IIS is not correct.
I've never done this with Oracle, but I have done something similar with WCF services. So this may not be the problem, but it's worth checking into.
When you authenticate using Kerberos (or Windows authentication in IIS 7 terminology), you can't by default become that authenticated user an authenticate again against another server. The IIS server isn't registered as a an Active Directory Kerberos delegate, so it can't do impersonation across multiple servers. In this case if you logged into the IIS server using remote desktop and tried to do it locally, it'd probably work (only one "hop" between servers in that case, so no impersonation required).
It's possible to change the Kerberos settings to allow this type of thing, but it requires your network admins to make changes that in my experience they don't like doing. Here's some information on it, though like I said I'm not sure it applies to Oracle as I've never tried it: http://technet.microsoft.com/en-us/library/72612d01-622c-46b7-ab4a-69955d0687c8