Well there could be a large number of reasons why your Kerberos Delegation may not appear to be working, but I’m just going to quickly cover one reason here and it’s to do with DNS names.  I had this issue today and it took me a while to drag it out of my memory, but I got there eventually.

If you have a single-part host header for your website such as http://myintranet then you MUST define two SPNs for your site if you want to run it under Kerberos.  So if your root fully qualified domain name (FQDN) is mydomain.local and your Application Pool account name for your Web Application which you want to run under Keberos is  mydomain\myapppoolaccount, then you must declare the following two SPNs:

setspn -S HTTP/myintranet mydomain\myapppoolaccount
setspn -S HTTP/myintranet.mydomain.local  mydomain\myapppoolaccount

The reason is you don’t have a ‘dot’ in your domain name, so Kerberos decides that the SPN is actually referring to a machine name, even though it isn’t, and sticks the DNS suffix on the end of the transited service, so if you don’t declare the FQDN SPN, Kerberos will fail.

Fell for this one today and cost me some time.  Once I declared the second FQDN SPN everything clicked in.

Cheers

Dave Mc