SAP, IIS and SSO - Kerberos SSPI not usable with t

My goal is to let intranet user's credentials pass through a asp.net webpage to an SAP RFC.

Background
We have SAP SSO setup with our AD system. Users can open the SAP gui and login without entering a username/password.

We are using ERPConnect to call RFCs in SAP. If we supply credentials to the connection string it works great. We can also use the following code below to use SSO if the webpage is running on our local machine.

Dim db As New SAPContext("ashost=sapsandbox.xxxsap.ad.xxx.com snc_mode=1 sysnr=00 SNC_QOP=9 snc_partnername=p:SAPUserAccount@xxxSAP.AD.XXX.COM SNC_LIB=C:\windows\system32\gsskrb5.dll")

When we move to a windows 2003 server machine running IIS6 we get the following error.

SAP_CMINIT3 : rc=20 > Connect to SAP gateway failed
Connect_PM  GWHOST=sapsandbox.xxxsap.ad.xxx.com, GWSERV=sapgw00, SYSNR=00

LOCATION    CPIC (TCP/IP) on local host
ERROR       GSS-API(maj): Miscellaneous Failure
           GSS-API(min): Kerberos SSPI not usable with this User account
           STOP! -- initial call to gss_indicate_mechs() failed
TIME        Fri Sep 02 14:13:47 201
RELEASE     710
COMPONENT   SNC (Secure Network Communication)
VERSION     5
RC          -1
MODULE      sncxxdl.c
LINE

I have disabled anonymous access on my IIS6 site. I have also followed this article on how to enable kerberos authentication on IIS6.

Does anyone know how to get this working? We could move to IIS7 if there is an easier way to get it to work with that.

EDIT
I set <identity impersonate="true" /> and I get a new error now.

SAP_CMINIT3 : rc=20 > Connect to SAP gateway failed
Connect_PM  GWHOST=sapsandbox.xxxsap.ad.xxx.com, GWSERV=sapgw00, SYSNR=00

LOCATION    CPIC (TCP/IP) on local host
ERROR       GSS-API(maj): Miscellaneous Failure
           GSS-API(min): SSPI::AcqCredHdl(INI)==No credentials available
           in secur
           Could't acquire DEFAULT INITIATING credentials
TIME        Tue Sep 06 11:45:11 201
RELEASE     710
COMPONENT   SNC (Secure Network Communication)
VERSION     5
RC          -4
MODULE      snc

EDIT
I think I have to have AD setup to use SPN. Here's what I saw on this question.
Set up a SPN on your application pool account for your front end application

Not familiar with SAP, but delegation is key here in addition to SPN, AD has to trust the machine sending the kerberos ticket, I'd highly recommend reading this article:

Understanding Kerberos Double Hop