I am doing some testing with the CRM List Web Part and as part of that am running into the world famous double hop issue with NTLM. As a result I switched authentication over to Kerberos authentication. Little background info - this is a test enviroment and is a single server farm. All clients on single domain. SP Build # 14.0.6106.5002
If I connect through a client machine it authenticates via NTLM. I have verified this via the Security event log. I did a packet capture and noticed that the SP server doesn't offer Kerberos authentication as an authentication method. The web part also does not work (which I expect at that point). I had purged the Kerberos tickets on the server before requesting the web page and none show up afterwards.
When I access the same URL on the SP server it authenticates via Kerberos. Verified by the Event Log and the packet capture. I also notice that there is a KRBTGT ticket when i run klist after requesting the web page. (again purgeing before requesting the webpage). The web part also works but should even with NTLM since it is a single hop authentication at that point.
I have setup IIS Authentication Settings in the Default Authentication Provider to use Kerberos authentication. Verified in IIS for that website that only Windows and ASP.NET Impersonation authenitcation methods are enabled. Under Windows Authentication the providers are listed for NTLM and Negotiate and Negotiate is listed first.
I am not sure what I need to do in order to get Kerberos to work with the clients. I have setup some basic SPNs but I don't think that is related to this since that would cause the authentication to fail but would still attempt to use it before using NTLM.
If there is anything else you need me to provide please let me know.
Thank you for taking the time to look at it.
Thanks,
Joe