Using Fiddler To Check For Kerberos Auth

Frequently I see customers trying to verify if their Kerberos settings ( are truly working or not.  In the past we’ve used tools such as NetMon, Kerbtray, Klist, and others to verify this however, recently I found a very simple way to test if Kerberos auth is working or not using Fiddler – a very common utility that many admins already have loaded on their client machines. Here are the steps:

  1. Download and install fiddler on the client machine:
    • This test process only applies to machines external to the servers hosting the services.  In the case of CRM, you would run fiddler from a client machine and not from a CRM or SQL Server.
  2. Open Fiddler on the client and start collecting data (Fiddler starts collecting by default)
    • If you have SSL enabled (HTTPS) on the website your testing make sure to enable Fiddler to Decrypt SSL, this can be done by clicking the Tools Menu, then Fiddler Options, then click the HTTPS tab, then select the “Decrypt HTTPS Traffic” checkbox.
  3. Access the site you wish to test (your CRM site), make sure you’re using the website alias or the way users will access your site. 
  4. In the left hand pane of Fiddler, which show’s all the requests, find one of the first successful (200) requests to the server in question and click on that request.
  5. In the upper right hand pane of Fiddler click on the Inspectors tab, then in the “Request Headers” area click on the “Headers” option as show below.
    • image_thumb2
  6. Within the “Request Headers” box look specifically for the “Cookies / Login” section of the headers, it is in this area you’ll see the Authorization. You should see one of two patterns that will tell you if you’re communicating with Kerberos authorization or not. If you see the Authorization token begin with “YII” Kerberos is functioning, if you see “TlR” then Kerberos did not function – here are images of each scenario:
    • Kerberos working: image_thumb5
    • Kerberos not working: image_thumb16

If you were expecting to see YII and see TlR instead, please take a look at my other blog posting ( covering the setup and configuration of SPN’s and Active Directory properties to allow for proper Kerberos authentication. Also, once Kerberos is functioning I recommend taking advantage of IIS’s AuthPersistNonNTLM setting to reduce the number of 401 challenges – this is also covered in the Kerberos blog posting under section 3.1.

If you want to keep in touch with our team you can follow us here ( as well as on Twitter, if you have a Microsoft Premier support contract and wish to work with a member of our team ask your TAM about the PFE offerings we have for Dynamics CRM, and if you want to connect with us at conferences we can be found speaking and attending Dynamics Convergence. We’ll keep any other events or opportunities to connect up to date here and on Twitter.


Sean McNellis

Comments (8)

  1. Gavin Higgins says:

    You can also look under inspectors again and then select 'Auth' and this will show you either Kerberos or NTLM authentication very clearly.

  2. Great tip @Gavin – thanks!

  3. Travis says:

    I have had various occasions when having Fiddler on changes the way Kerberos is functioning …

    For instance, with Fiddler open it looks like Internet Explorer is sending a Kerberos ticket with every request, even after AuthPersistNonNTLM is set … in fact with Fiddler open it does do that.  But with Fiddler closed, it does not.  

    I was able to verify this with a "netsh trace" both with Fiddler open and again with it closed.

    Also in some scenarios Kerberos outright fails when Fiddler is running, but works otherwise.  Again verified with a "netsh trace"

    All of these problems were with IE… chrome didn't seem to care if Fiddler was running or not.

    I guess it has something to do with how Fiddler inserts itself as a proxy.  Not sure why IE is the only one that cares.  Anyway your users might want to double check "kerberos failures" using a less intrusive system.  Just thought I'd mention it …

  4. Homer says:


    Try enabling Rules -> Automatically Authenticate.

    It worked in my case.



  5. Fergus W Allan says:

    Hi Travis,

    As far as I know, IE is the only browser that supports Kerberos.  Other browsers support NTLM or basic.

    At the time or writing (Jan 2015) Chrome would use NTLM as it does not support Kerberos


  6. Trix says:

    Fergus, I'm afraid you're incorrect. Firefox and Chrome(ium) support Kerberos via SPNEGO.

    Not by default, but the configuration for both browsers is pretty straightforward – you simply need to define the sites trusted for auth.

  7. Susan says:

    Hi Sean, I’m having an odd situation where I cannot capture CRM traffic with Fiddler when I am decrypting SSL. Any hints? Pretty sure it’s some sort of certificate or kerberos quirk that I need to configure… Susan

  8. Robin says:

    I have tested and maybe it’s not always work.

    In my fiddler,
    Kerberos working normally:
    Authorization: Negotiate YIIGvQYGKwYBBQUCoIIGsTCCBq
    Kerberos without correct SPN:
    Authorization: Negotiate YIIMvAYGKwYBBQ
    Authorization: Negotiate oYIMgzCCDH+g

Skip to main content