I have troubleshot many Kerberos cases over the years and here are the best techniques and tools that I have used over the years.
1. Kerberos Event Logging (KB here):
Add the following registry value to each machine in the farm that receives Kerberos Traffic:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
Registry Value: LogLevel
Value Type: REG_DWORD
Value Data: 1
To see the results, open Event Viewer > Windows Logs > System
You will now see Kerberos Errors in Event Viewer:
You will see a variety of errors such as:
KDC_ERR_S_PRINCIPAL_UNKNOWN: This means one of two things:
1. You are missing the listed SPN and need to add it to the correct account.
2. There is a Duplicate SPN effecting Kerberos Delegation, to analyze the Delegation use the tool listed below, DHCheck).
KDC_ERR_ETYPR_NOT_SUPP: This too means one of two things:
1. Delegation in SharePoint 2010 only supports Constrained Delegation, I have seen where one account is Constrained and another is not, this causes Delegation to fail and this error is thrown.
2. This is a bug with the Kerberos.dll (see my other blog).
2. DHCheck (DoubleHopCheck):
(Please visit the site to view this file)
This tool is great, it will inform you if the account is Trusted for Delegation, the SPNs Registered to the Account, and the SPNs the Account is Constrained too. Oh, and most importantly Duplicate SPNs.
A file named "results.txt" will be placed in the C:\temp\ folder, when you open it, it will look like the below:
Distinguished name..............: CN=Account01,OU=SharePoint_Servers,OU=SharePoint_Enterprise,OU=Domain Servers,DC=AD,DC=Microsoft,DC=com
Account type....................: Computer
User Account control............: 16781344(DEC) 1001020(HEX)
Account Trusted for delegation..: False
Account sensitive for delegation: False
Constrained delegation is enabled for:
MSOLAPSvc.3/Server01:Insance
MSOLAPSvc.3/Server01.FQDN:Insance
Registered Service Principal Names:
HTTP/Server01
HTTP/Server01.FQDN
Duplicate SPN found: HTTP/Server01
Account01,CN=Account01,OU=Users01,OU=IT,OU=ABC,OU=AdminUnits,DC=,DC=Microsoft,DC=com
Account02,CN=Account02,OU=Users02,OU=IT,OU=123,OU=AdminUnits,DC=MSFT,DC=Microsoft,DC=com
To use this tool:
1. Rename the attachment from dhcheck.txt to dhcheck.vbs and save it on the Application Server (root of C:).
2. Open a command line window and browse to the same directory as dhcheck.vbs (root of C:) enter the below information into the command line and press enter.
cscript dhcheck.vbs Account1 Account2 Account 3> c:\temp\results.txt
*The accounts in Red will be the account running Excel Services, Claims to Windows Token Services, SSAS and/or SQL (any accounts you want to collect Delegation information on).