In a K2 environment using Kerberos, a SQL Service instance is configured to use Impersonation, and there are smartobjects created off of service objects in this service instance.
When using these smartobjects in a K2 smartforms form or view, an error appears at runtime mentioning that the NT AUTHORITY/ANONYMOUS does not have rights to perform an action. However, the smartobject can execute successfully via the Smartobject Tester Tool located on the K2 server or a client machine. SETSPN commands were set successfully for the K2 service Account and the K2 server .
The error that appears in the smartforms runtime is a Kerberos error relating to what credentials are being sent back to SQL for impersonation in order to perform an action.
The issue turns out to be related to Kerberos configuration for the K2 Claims to Windows Token Service. The steps in the following KB can be used to resolve the issue:
In order for the user credentials to be delegated from IIS through the K2 Claims to Windows Token Service to the Smart Object service and then to the database server, the K2 server's computer object in Active Directory must be allowed to delegate credentials to the http service on itself as well.