Kerberos Survival Guide

Add resources you find useful, and/or rearrange the ones that are here, for example, by adding new sections

Introductory Information

• Kerberos Explained
• Exploring Kerberos, the Protocol for Distributed Security
• Kerberos for the Busy Admin
• What's in a Token
• Frequently Asked Questions about Kerberos
• Sharing a Secret: How Kerberos Works
• Explained: Windows Authentication in ASP.NET 2.0 - an old article that explains Kerberos and NTLM and the differences between them.
• Kerberos: An Authentication Service for Open Network Systems
• Kerberos Portal (more Wiki Articles)

Technical Articles

• Kerberos [MSDN]
• Understanding Kerberos Double Hop
• Security Developer Resources
• Service Principal Names (SPNs)
• Windows Ports, Protocols, and System Services
• How the Kerberos Version 5 Authentication Protocol Works
• Kerberos: The Network Authentication Protocol [MIT]
• What Is in a Ticket?
• Kerberos documentation for Windows 7, Windows Vista and Windows Server 2008 R2
• Kerberos and Load Balancing
• Active Directory Replication Over Firewalls 
• Kerberos Authentication for Load Balanced Web Sites
• SCVMM Administrator Console Authentication
• Updated requirements for a Windows Server 2008 R2 domain controller certificate from a 3rd party CA 
• Kerberos Authentication for IIS 7
• Kerberos in Multi-Tier Applications - Part 1 - Properly Configuring SPNs 
• Kerberos errors in network captures
• Kerberos Keytabs - Explained
• Configure Kerberos Forest Search Order (KFSO) topic on TechNet

Transition Technologies

Configuration / Troubleshooting

• Authentication requests between nodes in the same failover cluster may be unable to use the Kerberos protocol if the Negotiate SSP is specified in Windows Server 2008 R2
• Kerberos Authentication problems – Service Principal Name (SPN) issues - Part 1
• Kerberos Authentication problems – Service Principal Name (SPN) issues - Part 2
• Kerberos Authentication problems – Service Principal Name (SPN) issues - Part 3
• Dynamics CRM 4.0 Kerberos Configuration
• Dynamics CRM Troubleshooting Kerberos (This is Part 2 of above) Good article showing how to use WireShark, Fiddler, ADSI Edit and Klist.
• Error: Code: 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN
• Error: "Not enough storage is available to complete this operation" message when you use a Windows Server 2003-based domain controller to join a Windows XP-based client computer to a domain
• Event ID 4 Kerberos Client Configuration
• Event ID 11 Kerberos could not authenticate a principal name because the name was not configured correctly
• Event ID 26 (on KDC)
• FIM Identity Management Portal Accessing using a Sensitive Account (cannot be delegated) 
• Logging, How to enable Kerberos event logging
• Passwords: "No computer account for trust" error when you change domain account password in Windows after installing MS16-014 (Feb 2016)
• Passwords: Troubleshooting failed password changes after installing MS16-101 (Oct 2016)
• Troubleshooting AD Replication error 1908: Could not find the domain controller for this domain
• Troubleshooting Kerberos Authentication problems – Name resolution issues
• Troubleshooting HTTP 401 errors in IIS

Windows Support for Kerberos

• Kerberos for Microsoft BI
• FIM 2010: Kerberos Authentication Setup
• FIM 2010 R2: Kerberos Authentication Setup
• Kerberos Interoperability Step-by-Step Guide for Windows Server 2003
• How to Configure the Exchange 2010 RPS URI
• How It Works: Automatic Client Approval in Configuration Manager 2007
• Enabling Kerberos Authentication for MAPI Clients Connecting to Exchange 2010 SP1
• Configure Kerberos Authentication for SharePoint 2010 Products
• SharePoint 2010: Configuring Kerberos Authentication Plan for Kerberos authentication (SharePoint Server 2010)
• Updated requirements for a Windows Server 2008 R2 domain controller certificate from a 3rd party CA
• Understanding By-Design Behavior of ISA Server 2006: Using Kerberos Authentication for Web Proxy Requests on ISA Server 2006 with NLB
• Understanding Kerberos Credential Delegation in Windows 2000 Using the TktView Utility Configuring Kerberos (SharePoint 2010)
• New in SP2: Kerberos Authentication in Load Balanced Scenarios (Forefront TMG)
• Kerberos Security Support Provider (Windows Embedded Compact 7)
• What's new in Kerberos Authentication (Windows Server 8)
• Forefront UAG Troubleshooting: The Application Uses KCD for SSO, but No Claim Type Is Provided
• Windows Server 2008 and Windows Server 2008 R2 Support Tools 
• Configuring Kerberos Authentication for Microsoft SharePoint 2010 Products

Hands On

Deployment Resources

Case Studies

Developer Resources

• Registering Kerberos Service Principal Names by Using Http.sys
• Service Principal Name (SPN) checklist for Kerberos authentication with IIS 7.0/7.5

Tools

• Kerbtray - This tool is used to display ticket information for a given computer running the Kerberos protocol.
• KList - View and delete the Kerberos tickets granted to the current logon session.
• Kerberos PowerShell Module - This module gives access to the Kerberos Ticket cache like klist.exe. 
• Kerberos Authentication Tester - Great diagnostic tool - runs as an executable - no installation required.

• • It shows what authentication method is used in a web request: None, Basic, NTLM or Kerberos
  • It shows the SPN used in case of Kerberos
  • It shows the HTTP status
  • It shows the HTTP Headers of the request.
  • It shows the version of NTLM used (v1 or v2)
  • It has a detailed view with a complete breakdown of the Authorization header. (Yep, went through all the RFCs to dissect the Kerberos and NTLM packages)
  • It shows your current Kerberos tickets and allows you to remove them (like klist.exe)

Videos

• Kerberos Authentication Demo   Windows Authentication Deep Dive What Every Administrator Should Know - Tech·Ed North America 2011
• Cracking Open Kerberos: Understanding How Active Directory Knows Who You Are - Mark Minasi
• Implementing Kerberos with PerformancePoint Services and Excel Services
• Kerberos Authentication -- how it works

Books

• E-Book Gallery for Microsoft Technologies
  • (Includes "Configure Kerberos Authentication for SharePoint 2010 Products". This document covers the concepts of identity in SharePoint 2010 products, how Kerberos authentication plays a critical role in authentication and delegation in business intelligence scenarios, and the situations where Kerberos authentication should be leveraged or may be required in solution designs).

Blogs

• http://blog.kerberos.org/
• Ask the Directory Services Team - Kerberos

Forums

• Kerberos on stackoverflow
• Security for Applications in Microsoft Windows [MSDN]
• IIS 5.x & 6.0 - Security [MSDN]
• IIS7 - Security [MSDN]

Twitter

Industry and Other Resources

• Kerberos on Wikipedia
• Kerberos Network Authentication Service

See Also

• Wiki: List of Technologies and Related Topics
• Wiki: Survival Guides Portal