I have troubleshot many Kerberos cases over the years and here are the best techniques and tools that I have used over the years.
1. Kerberos Event Logging (KB here):
Add the following registry value to each machine in the farm that receives Kerberos Traffic:
Registry Value: LogLevel Value Type: REG_DWORD Value Data: 1
To see the results, open Event Viewer > Windows Logs > System
You will now see Kerberos Errors in Event Viewer:
You will see a variety of errors such as:
KDC_ERR_S_PRINCIPAL_UNKNOWN: This means one of two things:
1. You are missing the listed SPN and need to add it to the correct account.
2. There is a Duplicate SPN effecting Kerberos Delegation, to analyze the Delegation use the tool listed below, DHCheck).
KDC_ERR_ETYPR_NOT_SUPP: This too means one of two things:
1. Delegation in SharePoint 2010 only supports Constrained Delegation, I have seen where one account is Constrained and another is not, this causes Delegation to fail and this error is thrown.
2. This is a bug with the Kerberos.dll (see my other blog).
2. DHCheck (DoubleHopCheck):
This tool is great, it will inform you if the account is Trusted for Delegation, the SPNs Registered to the Account, and the SPNs the Account is Constrained too. Oh, and most importantly Duplicate SPNs.
A file named "results.txt" will be placed in the C:\temp\ folder, when you open it, it will look like the below:
Distinguished name..............: CN=Account01,OU=SharePoint_Servers,OU=SharePoint_Enterprise,OU=Domain Servers,DC=AD,DC=Microsoft,DC=comAccount type....................: ComputerUser Account control............: 16781344(DEC) 1001020(HEX)Account Trusted for delegation..: FalseAccount sensitive for delegation: FalseConstrained delegation is enabled for:MSOLAPSvc.3/Server01:InsanceMSOLAPSvc.3/Server01.FQDN:InsanceRegistered Service Principal Names:HTTP/Server01HTTP/Server01.FQDNDuplicate SPN found: HTTP/Server01Account01,CN=Account01,OU=Users01,OU=IT,OU=ABC,OU=AdminUnits,DC=,DC=Microsoft,DC=comAccount02,CN=Account02,OU=Users02,OU=IT,OU=123,OU=AdminUnits,DC=MSFT,DC=Microsoft,DC=com
To use this tool:
1. Rename the attachment from dhcheck.txt to dhcheck.vbs and save it on the Application Server (root of C:).
2. Open a command line window and browse to the same directory as dhcheck.vbs (root of C:) enter the below information into the command line and press enter.
cscript dhcheck.vbs Account1 Account2 Account 3 > c:\temp\results.txt
*The accounts in Red will be the account running Excel Services, Claims to Windows Token Services, SSAS and/or SQL (any accounts you want to collect Delegation information on).