We have an instance of SQL Server Reporting Services (SSRS) that uses Kerberos constrained delegation to retrieve data from its reports from SQL Server on behalf of its users.
To this end, SSRS has been configured to use
Unfortunately, this option also allows the NTLM connection. Users successfully log on to NTLM, and then an error occurs when trying to launch a report (because the delegation obviously fails).
There is also
option, but unfortunately it is not supported by browsers.
Even worth it, after this NTLM connection, SSRS will not try for a while to obtain a Kerberos ticket on behalf of a user, even if it is now connecting to using Kerberos even from another browser or from another station. I guess this is because SSRS launches a session object for the user after a successful login and associates new connections to that session. Thus, until the expiry of the deadline (in about 10 minutes), no delegation would be attempted.
Is there a way to make NTLM connections fail or at least warn the user that he has to close his browser, wait a while, and log back in via Kerberos?