Using Kernel-Mode with SharePoint 2010 Farm

I will start with this quote from Microsoft: "Kernel Mode Authentication is not supported in SharePoint 2010 Products. This information is provided for informational purposes only."

But, Microsoft gave us work around for this issue, as you probably know the Kernel-Mode says that the Kerberos tickets will be decrypted using SPN's that exist on the machine account instead of the custom application pool identity.
What we going to do is to say to the IIS to use application pool identity instead of the machine account when the Kernel-Mode is Enabled.

What we need to do is very simple, just read this article from Microsoft about adding to theApplicationHost.config file (located at: %windir%\system32\inetsrv\config\)
the attribute useAppPoolCredentials, example:

<system.webServer>
   <security>
      <authentication>
         <windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true" />
      </authentication>
   </security>
</system.webServer>

I tested this work around on a testing environment (Tier 1 - 2 WFE servers with NLB, 2nd tier - Application Server, 3nd tier - SQL server) and its work Perfectly, if you have more information about issues with this work around please share with as, thanks.

For more information about the subject you can refer to this articles :
- Michel Barneveld's Blog
- MSDN Blog's
- Kerberos configuration known issues (SharePoint Server 2010)  - TechNet
- Internet Information Services (IIS) 7.0 Kernel Mode Authentication Settings - TechNet

DelegConfig (Delegation / Kerberos Configuration Tool)

We all know how frustrating it is to configure Kerberos in some situations, I want to show you now really nice tool by Brian-murphy-booth that can help you to pass smoothly that part of building new secure environment using Kerberos \ Constrained Delegation, and for SharePoint, yes this tool supports SharePoint as a service type well as other service types for Back-End for checking double hoping, you can see it at the picture below.

I recommend you to read the Welcome page when you open the tool at the first time.

The DelegConfigTaken from here

Overview 
This is an ASP.NET application used to help troubleshoot and configure IIS and Active Directory to allow Kerberos and delegating Kerberos credentials.

Features
- Supports IIS 6.0 as well as IIS 7.0 (useKernelMode / useAppPoolCredentials) Allows adding backend servers of type UNC, HTTP, LDAP, OLAP, SQL, SSAS, and RDP Allows chaining of multiple hops (versus only a single backend) Performs duplicate SPN check against all trusted domains.

/Set/SPNs.aspx - Allows adding and removing of ServicePrincipalNames.

/Set/Delegation.aspx - Allows changing Trust for Delegation settings.

/Set/Providers.aspx - Allows correcting of inadequate NTAuthenticationProviders settings.

/Report.aspx - Gives a picture of what is right and what is wrong.

/Wizard.aspx - A set of wizard steps that supports adding more tiers to /Report.aspx.

/Test.aspx - Allows double-hop tests for webServer-to-Sql or webServer-to-fileServer or webServer-to-webServer.

Requirements
IIS 6.0 or IIS 7.0
ASP.NET 2.0 or higher

Links:
- Brian-murphy-booth Blog
- IIS Community Official Page 

I start using it on every IIS\SharePoint servers, just create new site pointing to DelegConfig Folder and make the site as STOP, use it when you want to check Kerberos problem's, My friend (Assaf Lev from Matrix Company) gave this tool a nick name "Kerbi" :-)



As well don't forget that you can use the "setspn.exe -x" to see duplicate SPN's in your domain (just on the new setspn version in Win2K8), Refer to this link (Read It !) for more new features.

If you have new Info to share with me and other viewers just make a comment, thanks and good luck my friends.