Troubleshooting Kerberos
So you have configured Kerberos authentication but it doesn't seem to be working as it should, here are a few quick troubleshooting steps you can take.
Using the Windows Event log check in the security section for 540 logon events on each server to see what the authentication protocol being used is.
Enable Kerberos logging on the servers concerned, this will log Kerberos errors to the system section in the Windows event log (Be aware that a large number of errors will appear and you should only enable logging for troubleshooting). Create a DWORD called "LogLevel" and set it's value to 1 in the key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters".
Check your SPNs for typos.
In the case of IIS check what your authentication providers is set to in the metabase and if using host headers make sure that your SPNs are set for the host header.
Check that the DNS records that you are setting your SPNs to are HOST (A) records, CNAMES are aliases and during authentication an SPN for the entry to which the CNAME is an alias of will be checked for.
Force Kerberos to use TCP instead of UDP. Create a DWORD called "MaxPacketSize" and set it's value to 1 in the key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters".
Following is the Microsoft TechNet article concerning troubleshooting, this article also contains a list of further Kerberos parameters you can tweak: http://technet2.microsoft.com/windowsserver/en/library/b36b8071-3cc5-46fa-be13-280aa43f2fd21033.mspx?mfr=true)
Mark Green