Rather than documenting a complex flowchart that covers every possible scenario, I am going to draft up a fairly common environment and document the various steps required to make sure Kerberos is working for that environment. Kerberos only works properly when everything is setup correctly, and troubleshooting issues can be very frustrating and time consuming.
Later sections deal with SPN registration (Sean wins a little piece of my heart for recommending SetSPN -S instead of -A), troubleshooting with traces, kernel-mode authentication, delegation settings, and more!
It’s a big post, but well worth a read if you have to set one up. Most concepts will apply to n-tier apps other than CRM, as well.
Posted by Tristan Kington, MSPFE Editor and Kerberos kennel operator