DelegConfig (Delegation / Kerberos Configuration Tool) from iis.net

A co-worker of mine (thanks Kevin) sent me information this morning on a tool for trouble-shooting Kerberos settings in IIS called DelegConfig.  This a 'must-have' tool for setting up Kerberos for your K2.net Web Server.

This utility is a little ASP.NET v1.1. app you drop in a folder on your site to reveal the current Kerberos configuration settings for the web server and will additionally will troubleshoot Kerberos settings on your back end servers/services that the web server will connect to with the Kerberos Protocol (i.e. Active Directory, SQL Server, etc).

This tool will checks the following:

Service Account
1. Checks if the service account is a domain account.
2. Checks if the service account has a valid Service Principal Name (SPN)
3. Checks for duplicate SPN's.
4. Checks to see if the account is trusted for delegation (full or constrained).

Authenticated User
1. Checks to see if the account you are connecting with to the web site is a domain account
2. Checks the authentication method (NTLM/Kerberos/Basic, etc).

Backend Servers
1. Allows you to add backend servers (the other hops) to test to make sure those service accounts are setup properly.
    a. sadly K2.net isn't an option for the backend server, I'm going to look into getting this added.

Based on all of the tests run above this utility gives a final pass/fail and for each test you will gain a lot of insight as to what settings are being checked and how to fix them if they are broken.

Even if you aren't having problems and want to educate yourself on how Kerberos works, this tool is an excellent resource.

You can download DelegConfig here.