Kerberos Constrained Delegation – Troubleshooting Tools (Part 5 of 6)

In Part 4 of this series (Kerberos Constrained Delegation – Troubleshooting Tools), I discussed Internet Explorer setup.  To date, the series has been about steps needed to set up Kerberos Constrained Delegation with Windows Integrated Authentication.  While the first parts of the series were not a step-by-step guide in how to set up Kerberos, it was meant to provide an overall checklist of things to make sure were properly set up.  What happens if you have an issue with Kerberos after it is set up?  That’s what this part of the series is about.

Unfortunately, many Kerberos setups have problems because:

  1. Not well documented, by Microsoft, which SPNs need to be created for each application
  2. Setting up SPNs can sometimes be problematic (you can find a lot of information about duplicate SPNs on the web)
  3. Configuration occurs on various servers that usually cross department boundaries or at least different people (Active Directory, IIS, Windows Clients, …)
  4. Administrators are generally unfamiliarity with the subject matter
  5. There is a lack of tools to help automate this process
  6. It’s not something that you do everyday (infrequent need for security setup)

Let’s look at some troubleshooting tools that can help point out issues with Kerberos setup.  I would typically use these tools in this order (similar to the setup steps we have taken in the earlier parts of this series).


Dhcheck.vbs – Checks your Active Directory work (including Duplicate SPNs).  Provides documentation for SPNs.

This is a great command line tool to check your SPNs and see if your Active Directory work was done correctly.  This tool documents your SPNs for your future needs as well.  If you test your SPNs in a development environment prior to going into production, you will have a nice roadmap of what you need to do to complete your production implementation correctly.  See Part 2 (Kerberos Constrained Delegation – Active Directory) for details on SPN setup.

Input Example

cscript dhcheck.vbs account1 [account2 [account […]]]
cscript dhcheck.vbs ServerMOSS$ ServerSSRS$ ServerSQL$ MOSS2007webapp SSRSwebapp SQLService > SPNoutputfile.txtNote:  The $ after the machine name (machinename$) indicates a machine (not a user account).


Output Example (for 2 accounts – 1 computer, 1 user)


Distinguished name…………..: CN=ServerMOSS,OU=MOSS07,OU=Prod,OU=Servers,DC=domain,DC=com
Account type………………..: Computer
User Account control…………: 528888(DEC) 80000(HEX)
Account Trusted for delegation..: True
Account sensitive for delegation: False
Registered Service Principal Names:
Checking for Duplicate SPNs…
No Duplicate SPNs found.


Distinguished name…………..: CN=MOSS2007webapp,OU=SSRS,OU=Prod Accounts,DC=domain,DC=com
Account type………………..: User
User Account control…………: 66888(DEC) 10000(HEX)
Account Trusted for delegation..: False
Account sensitive for delegation: False
Constrained delegation is enabled for:
Registered Service Principal Names:
Checking for Duplicate SPNs…
No Duplicate SPNs found.


DelegConfig – Tool that allows you to walk through your IIS configuration and check for issues.

It points out specific IIS and SPN issues and helps you resolve them.  This is the best in class tool for troubleshooting Kerberos issues.  I’ve used DelegConfig V1 but noticed there is a new Beta (DelegConfig V2 (Beta)).  It looks like it now supports IIS 7 and helps you correct some of the issues such as adding and removing SPNs!  DelegConfig walks you through a process to help you determine what is wrong and gives you some explanation as to how to correct the issues.


While not mentioned as a specific tool here, you can use the command line to check and set your Metabase settings.  I’ve given the commands for this in Part 3 (Kerberos Constrained Delegation – IIS Setup).  You can also review IIS setup in this section.

Kerbtray.exe – GUI tool that allows you to examine the Kerberos ticket information

You can use Kerbtray to look at the details of the Kerberos ticket that is being returned to your PC client.  It runs in the status area of your desktop.  You can “purge tickets” and then run your IE process (call your web site for the various product such as SharePoint).  You can then “List Tickets” to see the information that is being returned.  When a ticket is correctly returned, it has information similar to that listed below.  Similarly, there is information in the other tabs (like Times, Flags, Encryption types).  When a ticket is not returned correctly, some of this information will be missing and often times the krbtgt is not being returned from the domain controller as expected.  This typically leads you to an incorrect SPN or IE setup.  If you have already checked your SPNs with the tools mentioned above, it is probably and IE setup error.  See Part 4 (Kerberos Constrained Delegation – Internet Explorer Setup) of this series for setup instructions.


Microsoft Network Monitor 3.3 – Tool that allows you to capture and analyze network traffic.

This tool provides very detailed network packet information (not for the average administrator).  You may want to install this on the server and client when troubleshooting.  It allows you to capture network data in real time and then examine the data to ensure protocols are correctly parsed, etc.

Additional Troubleshooting Guides

You can spend a lot of time troubleshooting security issues.  Security issues are particularly difficult to troubleshoot because normally they do not provide you with a lot of feedback on exactly what is wrong.  This in general is the nature of security issues.  If you are setting up products and trying to use Kerberos Constrained Delegation, then I suggest you try the above tools.  The best overall tool for troubleshooting issues is DelegConfig.  The newer version offers even more help.

Troubleshooting Kerberos Additional References

Do you have any other tool suggestions?  Leave a comment and let others know about other troubleshooting tools and how you use them.

This section of the series describes Kerberos troubleshooting tools and the areas of Kerberos setup that they address.  The final installment on this topic will be a wrap up of the series.

FUTURESULTS, LLC Blog and FUTURESULTS, LLC Web Site are both created by Robert Lambrecht. Tags: , , , , , , , , , , , , , , , , , , , , ,
This entry was posted in Security and tagged , , , , , , , , , , , , , , , , , , , , , , . Bookmark the permalink.

One Response to Kerberos Constrained Delegation – Troubleshooting Tools (Part 5 of 6)

  1. Pingback: Kerberos Constrained Delegation – Wrap-up (Part 6 of 6) | FUTURESULTS, LLC Blog

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s