Update: Read the Kerberos-page linked to on the right side as it is more updated.
Firstly – I assume you already know what Kerberos is and which problems it is intending to solve. This posting will not teach you this – but this might…
Even though I have tried to follow much of the available information out there, I was stuck on an issue involving an ASP.net frontend, WCF webservice and CRM backend. The reason was off course just ignorance and lack of better knowledge — as often is the case when dealing with something you don’t need to use often.
This is just a summary of my experience that might act as an checklist for others:
- Use separate domain accounts for each individual service / IIS application pool. This makes registering SPN’s cleaner.
- Use hostname’s (intranet.company.com, crm.company.com etc) for all IIS web applications and never refer to servername in calling applications.
- Register all hostname’s with A-records in DNS. Don’t use CNAME! And off course make sure the server is set up with static IP or DHCP record.
- Set up Kerberos Service Principle Names (SPN) correctly:
- Register SPN for hostname’s only (HTTP/intranet.company.com) as SPN for web applications.
- Don’t register HTTP/NETBIOS-name and HTTP/Fully-qualified-domain-name as many suggests.
- Don’t delete HOST/SERVERNAME SPN’s registered on the computer account (domain\SERVERNAME$) or else you will get into trouble. I discovered it the hard way trying to clean up my SPN’s after doing a lot of testing. They can easily be re-created.
- Enable Kerberos logging: HKLM\Software\CurrentControlSet\System\Lsa\Kerberos\Paremeters\LogLevel = 1 (DWORD
- Enforce Kerberos to use TCP instead of UDP: HKLM\System\CurrentControlSet\Lsa\Kerberos\Parameters\MaxPacketSize = 1 (DWORD) to get rid of some Kerberos error messages
- Use DelegConfig to test Kerberos:
- Make test-user member of Local Admin group of server
- Extract files to C:\Kerberos
- Add virtual directory in IIS web application you need to test with Kerberos as Alias, C:\Kerberos as Path and and Read and Execute permission
- On server in question, log in as test-user and go to HTTP://intranet.company.com/Kerberos) – pray to God for all green checkboxes
- When nothing of this helped – you’re on your own…
