WCF Windows Authentication / Delegation

I'm having trouble getting the user credentials to be delegated over to our Sql Server DB. I'm pretty sure I have my configuration for the WCF set up correctly because everything works on my local IIS where there is only one hop, the problem is getting the double hop to work in a real environment.

The first Error I was getting was a Sql Exception when trying to login with Network Service/anonymous Login. From reading blogs I think the service was falling back to NTLM which cannot perform the double hop.

First question, am I correct in thinking the only way to perform a double hop is with Kerberos?

I switched the config to not allow NTML and got a 'The requirement for mutual authentication was not met by the remote server' error.

I read that I needed to set up a user for delegation. This is where I get lost. The user of the AppPool is NetworkService, what do I need to do to get delegation to work for this? Do I go into the Domain Contr开发者_StackOverflowoller and enable Delegation somehow? What do I need to add to the client config to tell the service about delegation?

I did try adding a new domain user to active directory, enabling delegation for the user, and making the user for my app pool, and added an identity section in the config to speciy this user, but got this error: 'The target principal name is incorrect'.

If possible I would like to keep the network service as my app pool identity. Does anyone know what steps I need to take to get this work?