https:\/\/thycotic.force.com\/support\/s\/article\/Configuring-Firefox-for-Integrated-Windows-Authentication<\/a><\/p>\n\n\n\n …and the IIS webserver<\/strong> needed configuring:<\/p>\n\n\n\n http:\/\/woshub.com\/configuring-kerberos-authentication-on-iis-website\/<\/a><\/p>\n\n\n\n A couple of things needed to happen on the KDC but they’re covered in the link above as I recall.<\/p>\n\n\n\n I have grandly titled these five scenarios as the The Five Trials of Kerberos just because we\u2019ve got a bit of a mythological thing going on and it’s got a ring to it.<\/p>\n\n\n\n The First Trial<\/strong><\/p>\n\n\n\n You browse to the website and you see…<\/p>\n\n\n\n You break out Wireshark to see what’s going on and you see…<\/p>\n\n\n\n This one’s an easy one; all answers at the bottom of the post<\/p>\n\n\n\n The Second Trial<\/strong><\/p>\n\n\n\n You browse to the website and see\u2026<\/p>\n\n\n\n There are no Kerberos packets in the trace this time.<\/p>\n\n\n\n The Third Trial<\/strong><\/p>\n\n\n\n Now this trial is a little unusual in that I did something that broke Kerberos but the website continued working and authentication was happening. I was a little surprised by this myself though it made sense when I worked out what was going on. Anyway, the Kerberos error was this:<\/p>\n\n\n\n If I showed much more of the trace then you\u2019d probably work out what was going on and it is supposed to be a trial\u2026. so instead I\u2019ll tell you that if the webserver was busy you would notice the authentication server’s CPU usage has gone up compared to its usual baseline.<\/p>\n\n\n\n The Fourth Trial<\/strong><\/p>\n\n\n\n This follows the pattern of the previous trial in that Kerberos stops working but access to the website continued for the same reasons as above. However, this time there was more in the Kerberos trace:<\/p>\n\n\n\n Of the Kerberos errors supplied thus far these are probably the least helpful.<\/p>\n\n\n\n The Fifth Trial<\/p>\n\n\n\n The fifth and final trial is the trickiest as you might expect. You\u2019d probably need to be fairly unlucky to see this one in the wild\u2026<\/p>\n\n\n\n This time it\u2019s properly broken\u2026<\/p>\n\n\n\n There\u2019s no Kerberos at all in the Wireshark trace. There is an attempt at NTLM but obviously that\u2019s not good enough.<\/p>\n\n\n\n I won’t dwell on this one and so to the answers…<\/p>\n\n\n\n Answer One<\/strong><\/p>\n\n\n\n The ticket is not yet valid. This is because I moved the time ahead on the KDC server. Kerberos will give you 5 minutes leeway but I moved it ahead an hour. If the client time is behind you will see the error.. I tried this the other way around\u2026 so the client was at 9:35 am and the KDC at 7:34 am and the authentication still worked!!<\/p>\n\n\n\n I put this down to the token being within the valid time range. There are probably ways to stop this happening but we’ll move on..<\/p>\n\n\n\n Answer Two<\/strong><\/p>\n\n\n\n The eagle-eyed amongst you would have noticed the website was not being accessed by the URL 'web.labtinker.net' but instead '18.135.13.153\/' for which a CNAME entry had been created. It is possible to get to the website by a different URL but more work needs to be done. More on this later.<\/p>\n\n\n\n Answer Three<\/strong><\/p>\n\n\n\n On this occasion I had deleted the SPN on the KDC by using the command:<\/p>\n\n\n\n Setspn -d HTTP\/web.labtinker.net iis_kerb<\/p>\n\n\n\n This meant there was no mapping between a service principal and a user. The authentication carried on working because NTLM took over when Kerberos failed.<\/p>\n\n\n\n When you specify negotiation schemes you can\u2019t explicitly specify \u2018Kerberos\u2019 but instead specify \u2018negotiate\u2019 and this will try Kerberos then try NTLM. In Trials 1 and 2 there was no failback to NTLM, in this trial there was\u2026 not altogether sure why the difference in behaviour.<\/p>\n\n\n\n This does lead us on to spn\u2019s. To make the negotiation work for 18.135.13.153\/<\/a> we have to do the three following things:<\/p>\n\n\n\n![\"\"](\"http:\/\/18.135.13.153\/wp-content\/uploads\/2020\/10\/image-12.png\")
![\"\"](\"http:\/\/18.135.13.153\/wp-content\/uploads\/2020\/10\/image-14.png\")
![\"\"](\"http:\/\/18.135.13.153\/wp-content\/uploads\/2020\/10\/image-15.png\")
![\"\"](\"http:\/\/18.135.13.153\/wp-content\/uploads\/2020\/10\/image-16.png\")
![\"\"](\"http:\/\/18.135.13.153\/wp-content\/uploads\/2020\/10\/image-17.png\")
![\"\"](\"http:\/\/18.135.13.153\/wp-content\/uploads\/2020\/10\/image-18.png\")
![\"\"](\"http:\/\/18.135.13.153\/wp-content\/uploads\/2020\/10\/image-19.png\")
![\"\"](\"http:\/\/18.135.13.153\/wp-content\/uploads\/2020\/10\/image-20.png\")
![\"\"](\"http:\/\/18.135.13.153\/wp-content\/uploads\/2020\/10\/image-21.png\")
![\"\"](\"http:\/\/18.135.13.153\/wp-content\/uploads\/2020\/10\/image-22.png\")
<\/figure>\n\n\n\n![\"\"](\"http:\/\/18.135.13.153\/wp-content\/uploads\/2020\/10\/image-23.png\")
![\"\"](\"http:\/\/18.135.13.153\/wp-content\/uploads\/2020\/10\/image-24.png\")
![\"\"](\"http:\/\/18.135.13.153\/wp-content\/uploads\/2020\/10\/image-25.png\")
![\"\"](\"http:\/\/18.135.13.153\/wp-content\/uploads\/2020\/10\/image-26.png\")