Kerberos 101 – Love, Hate, Love

Update: Read the Kerberos-page linked to on the right side as it is more updated.

Firstly – I assume you already know what Kerberos is and which problems it is intending to solve. This posting will not teach you this – but this might…

Even though I have tried to follow much of the available information out there, I was stuck on an issue involving an frontend, WCF webservice and CRM backend. The reason was off course just ignorance and lack of better knowledge — as often is the case when dealing with something you don’t need to use often.

This is just a summary of my experience that might act as an checklist for others:

  • Use separate domain accounts for each individual service / IIS application pool. This makes registering SPN’s cleaner.
  • Use hostname’s (, etc) for all IIS web applications and never refer to servername in calling applications.
  • Register all hostname’s with A-records in DNS. Don’t use CNAME! And off course make sure the server is set up with static IP or DHCP record.
  • Set up Kerberos Service Principle Names (SPN) correctly:
    • Register SPN for hostname’s only (HTTP/ as SPN for web applications.
    • Don’t register HTTP/NETBIOS-name and HTTP/Fully-qualified-domain-name as many suggests.
    • Don’t delete HOST/SERVERNAME SPN’s registered on the computer account (domain\SERVERNAME$) or else you will get into trouble. I discovered it the hard way trying to clean up my SPN’s after doing a lot of testing. They can easily be re-created.
  • Enable Kerberos logging: HKLM\Software\CurrentControlSet\System\Lsa\Kerberos\Paremeters\LogLevel = 1 (DWORD
  • Enforce Kerberos to use TCP instead of UDP: HKLM\System\CurrentControlSet\Lsa\Kerberos\Parameters\MaxPacketSize = 1 (DWORD) to get rid of some Kerberos error messages
  • Use DelegConfig to test Kerberos:
    • Make test-user member of  Local Admin group of server
    • Extract files to C:\Kerberos
    • Add virtual directory in IIS web application you need to test with Kerberos as Alias, C:\Kerberos as Path and and Read and Execute permission
    • On server in question, log in as test-user and go to HTTP:// – pray to God for all green checkboxes
  • When nothing of this helped – you’re on your own

Get information on wireless LANs

Pre-Vista I used the excellent Netstumbler to discover wireless LANs around me and to make sure my router wasn’t set up with same channel as my neighbors. Unfortunately Netstumbler doesn’t work in Vista. Luckily this is default functionality through the netsh command:

netsh wlan show networks mode=bssid

Not as beautiful as Netstumbler, but it does the job!