I ran into this Kerberos issue a few times and it prompted me to write this blog post.
You would run into one of the following errors
"The request failed with HTTP status 401: Unauthorized” Or 401.2
You’ve already verified the following
1) Web site is configured for Integrated Authentication
2) Website is configured to use Negotiate by configuring NTAuthenticationProviders
3) Configured IE to use Integrated Authentication
4) DelegConfig tool detects that SPN configuration is valid
5) Valid SPN’s are set as per URL
Most common reasons for the Kerberos issues are resulted due to invalid SPN setup / Duplicate SPN setup, this case is no different.
The URL (hostheader) for browsing the website is test-web01.mycompany.net and you’ve configured SPN’s for website is test-web01.mycompany.net , however when we try to resolve this FQDN it is resolving to “test - web01.something.test.mycompany.net”, in this case we needed to set SPN for “test-web01.something.test.mycompany.net”
It is important that we configure SPN for the name it is resolving to, not the name we are using to browse the website. Following is the example
Website URL: www.abc.com
HostHeader : www.abc.com
Ping www.abc.com and note down the name it is resolving it to, in some NLB scenarios due to the some custom requirements, customers would have a alias configured for www.abc.com, so in reality if we ping www.abc.com is resolving it to www.xyz.com due to DNS configuration, in this case we need to set SPN's for www.xyz.com , not for www.abc.com
For this specific case, we removed the existing SPN’s and added the SPN for “test-web01.something.test.mycompany.net” by following the below command
Setspn – a HTTP/test-web01.something.test.mycompany.net Testdomain/ServiceUser
Note: The HTTP service class differs from the HTTP protocol. Both the HTTP protocol and the HTTPS protocol use the HTTP service class. The service class is the string that identifies the general class of service. Well-known service class names include "www" for a Web service and "ldap" for a directory service.
How to use SPNs when you configure Web applications that are hosted on IIS 6.0
Kerberos SPN Viewer and Helper Tool Sample