How to debug Sharepoint and KCD/Kerberos tickets.
This article outlines some additional configurations that may be required when load balancing a SharePoint site with Edge Security Pack (ESP), and Server Side Authentication set to Kerberos Constrained Delegation (KCD).
This article does not cover the initial ESP Client Side Configuration or the KCD Server Side Configuration. See the following links for information regarding the implementation of this part of the configuration.
1. Enable Kerberos on SharePoint
a. Log into your SharePoint Admin Portal. Go to Manage Web Applications > SharePoint Site > Authentication Providers
Under Edit Authentication set Integrated Windows authentication to Negotiate (Kerberos)
2. Enable Kernel Mode Authentication
When the LoadMaster requests a Kerberos ticket, it uses the Fully Qualified Domain Name (FQDN) of the Real Server.
The Kerberos server or Domain Controller encrypts the ticket using the credentials of the Real Server. This can cause issues when connecting to your SharePoint Site resulting in a 401 Authentication popup.
A simple solution to this behavior is to enable Kernel Mode Authentication on the IIS Server.
IIS Manager > SharePoint > Authentication > Windows Integrated Authentication > Advanced Settings > Enable Kernel Mode Authentication.
3. SPN Service Account
In some scenarios, it is not possible to enable Kernel Mode Authentication. For example, when SharePoint has some back-end servers that must connect directly to SharePoint, or if there are internal clients connecting directly to SharePoint. In these cases, Kernel Mode Authentication must be disabled.
If this is the case, the Kerberos server must encrypt the KCD ticket using the SharePoint Service Account.
The SharePoint Service Account is found under IIS Manager > Application Pools > SharePoint Site or in the SharePoint Admin Portal under Security > Configure Service Accounts.
After the SharePoint Service Account is retrieved, open the command line on your Domain Controller and run the following command:
Note: All SP Sites must be using the same Service Account.
SetSPN -s HTTP/IIS_SERVER_FQDN domain\SharePoint Service Account.