IIS 7.5 site using impersonation does not have permissions to access Sharepoint web services

edit updated with new information

I've been trying to configure a ASP.Net site to use windows authentication impersonation, and use this to call Sharepoint 2010 web services.

I've enabled impersonation and windows authentication on the site, and given in a "classic" .net 4.0 app pool identity. I display the user that is logged in. When the site is run from the server, everything works fine - the user is impersonated correctly. Tried with several user accounts (but all local admins...). This can upload a file to sharepoint which records the "Created by" "Modified by" as the site user (and not the app pool identity). This is the situation I want.

When run from a client machine, it fails. The page is loaded, but it seems to fail when it tries to access the Sharepoint lists service with a 401 unauthorised. Further inquiries have shown me the following info the Sharepoint weblogs when calling the list.asmx service:

2012-01-12 22:42:52 10.197.104.208 POST /iain/Cesa/_vti_bin/Lists.asmx - 80 - 10.143.16.141 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+4.0.30319.239) 401 0 0 13 2012-01-12 22:42:52 10.197.104.208 POST /iain/Cesa/_vti_bin/Lists.asmx - 80 - 10.143.16.141 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+4.0.30319.239) 401 1 2148074254 3 2012-01-12 22:42:52 10.197.104.208 POST /iain/Cesa/_vti_bin/Lists.asmx - 80 - 10.143.16.141 Mozilla/4.0+(compatible;+MSIE+6.0;+MS+Web+Services+Client+Protocol+4.0.30319.239) 401 1 5 1

From: http://support.microsoft.com/kb/969060 I know that: "The win32 status of "2148074254" (also defined as -2146893042 / 0x8009030E / SEC_E_NO_CREDENTIALS) means "No credentials are available in the security package." In other words, the client has not sent any credentials."

This looks like my web site is not passing the impersonated credentials to the Sharepoint site. Is there any way of solving this? Because it works from the server I'm sure it can work, but I'm at my wits end trying to find a solution.

This is caused by windows authentication using NTLM rather than Kerberos (I thought it was using Kerberos...).

I'm looking into getting Kerberos properly configured, but this is a big task. In the meatime I have simply moved the site and it is now hosted on the same SharePoint web front end as the web services it is contacting. Now there is now double hop, no need for deleaged credentials, and so it works :)