Kerberos 101 – Love, Hate, Love

Update: Read the Kerberos-page linked to on the right side as it is more updated.

Firstly – I assume you already know what Kerberos is and which problems it is intending to solve. This posting will not teach you this – but this might…

Even though I have tried to follow much of the available information out there, I was stuck on an issue involving an frontend, WCF webservice and CRM backend. The reason was off course just ignorance and lack of better knowledge — as often is the case when dealing with something you don’t need to use often.

This is just a summary of my experience that might act as an checklist for others:

  • Use separate domain accounts for each individual service / IIS application pool. This makes registering SPN’s cleaner.
  • Use hostname’s (, etc) for all IIS web applications and never refer to servername in calling applications.
  • Register all hostname’s with A-records in DNS. Don’t use CNAME! And off course make sure the server is set up with static IP or DHCP record.
  • Set up Kerberos Service Principle Names (SPN) correctly:
    • Register SPN for hostname’s only (HTTP/ as SPN for web applications.
    • Don’t register HTTP/NETBIOS-name and HTTP/Fully-qualified-domain-name as many suggests.
    • Don’t delete HOST/SERVERNAME SPN’s registered on the computer account (domain\SERVERNAME$) or else you will get into trouble. I discovered it the hard way trying to clean up my SPN’s after doing a lot of testing. They can easily be re-created.
  • Enable Kerberos logging: HKLM\Software\CurrentControlSet\System\Lsa\Kerberos\Paremeters\LogLevel = 1 (DWORD
  • Enforce Kerberos to use TCP instead of UDP: HKLM\System\CurrentControlSet\Lsa\Kerberos\Parameters\MaxPacketSize = 1 (DWORD) to get rid of some Kerberos error messages
  • Use DelegConfig to test Kerberos:
    • Make test-user member of  Local Admin group of server
    • Extract files to C:\Kerberos
    • Add virtual directory in IIS web application you need to test with Kerberos as Alias, C:\Kerberos as Path and and Read and Execute permission
    • On server in question, log in as test-user and go to HTTP:// – pray to God for all green checkboxes
  • When nothing of this helped – you’re on your own