I just love the main screen of this tool! Kerberos can be scary and misunderstood (kinda like referees!)
DON’T RUSH!!! You are not so smart that you should skip over reading the following. I like to skip over documentation just as much as the next person. But for your own benefit please read this information (usage tips and features). If you are not aware of everything this tool can do, you will add unnecessary confusion and work to your already frustrating experience of getting Kerberos and Delegation to function properly.
READ what the report tells you – If I had a penny for every time somebody asked me what the report ALREADY SAYS I would be rich. Okay, maybe not rich, but I’d have a lot of pennies.
Start by using the report locally from the web server – You should still use the same URL that you plan on using remotely. However, certain types of authentication problems will occur only if your connection is using Kerberos and there is something misconfigured. Using this tool from a browser instance local to the server will avoid those types of problems since in most cases local requests use NTLM.
Next, use the report from a remote client – One important check that is performed is whether or not your browser has actually connected to the web service using Kerberos. If you always make your requests from the web server itself, you will likely always see a "Negotiate with NTLM" connection with a red "x" next to it (and red icons usually bother people). A second important piece of information revolves around name resolution of the client. If your requests are always from the server, how can we see what the client thinks?
Lastly, click any "Fix This" buttons locally from the server – There will be "Fix This" buttons that appear that will allow you to make the exact changes that you need to get things working. But just like any other web application, this application is at the mercy of the whole double-hop concept. The most relevant types of changes this tool can make are Trust settings and ServicePrincipalName settings which are both stored in Active Directory. If you try to make changes to these settings (i.e. you click the fixThis buttons) from a remote browser instance it will likely fail because of the failed double-hop from browser-to-WebServer then webServer-to-ActiveDirectory.
/Set/SPNs.aspx – Allows adding and removing of ServicePrincipalNames
/Set/Delegation.aspx – Allows changing Trust for Delegation settings.
/Set/Providers.aspx – Allows correcting of inadequate NTAuthenticationProviders settings.
/Report.aspx – Gives a picture of what is right and what is wrong.
/Wizard.aspx – A set of wizard steps that supports adding more tiers to /Report.aspx.
/Test.aspx – Allows double-hop tests for webServer-to-Sql or webServer-to-File server or webServer-to-webServer