I have a web app running on Server A that calls a WCF service (K2 WCF Service) on Server B that requires impersonation/delegation to run as the calling user. If I run the web app from Server A, the app works great. If I run the app from my local PC in debug, it also works great. If I hit the app from a browser on my PC to Server A, I get the following error:

The HTTP request is unauthorized with client authentication scheme 'Ntlm'. The authentication header received from the server was 'Ntlm,Negotiate'. System.Net.WebException: The remote server returned an error: (401) Unauthorized. at System.Net.HttpWebRequest.GetResponse() at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout).

I use the following code to run the service: SvcWorklist.ClientCredentials.Windows.AllowedImpersonationLevel = System.Security.Principal.TokenImpersonationLevel.Delegation; SvcWorklist.ClientCredentials.Windows.ClientCredential = System.Net.CredentialCache.DefaultNetworkCredentials;

I feel like I've done everything, here is a list of what I've tried:

1. 
   
2. Setup a SPN (including port) with by Server A App pool domain user to Server B (NETBIOS and FQDN)
   1. 
      
   2. Set the same domain user as the app pool user on Server A and B
      
   3. Ensure the app pool user is allowed to delegate in Active directory
      
   4. Ensure both servers are allowed to delegate in AD
      
   5. Set authentication to windows and impersonate=true in web.config on Server A
      
   6. Ensured Thread.CurrentPrincipal.Identity.Name has my user ID
      
   7. Ensured IIS is set for windows and impersonation
      
   8. Tried restricting the IIS configuration on server A and B to only Ntlm and/or Negotiate
      
   
   

Any help or ideas are truly appreciated.