Kerberos Authentication in Sharpoint 2010 Question

Dear All,

I have setup Kerberos authetication a Small Sharepoint Farm (1 APP, 1Web Server , 1 SQL Server ).

I have a query to understand delegation for Computer accounts ( APP and Web Server Name account).

************

Steps which I used to do: 

Topology:

1 Web Server (Web1.domain.com)

1 App Server (App1.domain.com)

1 SQL Server (SQL1.domain.com)

1 Web Application (http://webapp1.domain.com)

Web App Pool account (domain\apppool1)

SQL Servie is running with domain\sqlsvc account

1 CentralAdmin (http://app1.domain.com:8000)

End Result Which I wanted to achieve: I want to setup Kerberos authentication for web application only on Web Application (http://webapp1.domain.com)  not on Central Admin.

Steps which I performed:

1. Created SPN for App Pool Account (domain\apppool1)

set spn -s HTTP/app1.domain.com domain\apppool1

set spn -s HTTP/app1 domain\apppool1

2. Set Delegation property for app pool account domain\apppool1

Select Trust this user for delegation to any service (Kerberos only)

3. Create spns for MSSQL service account

setspn.exe –s MSSQLSvc/SQL1:1433  domain\sqlsvc

setspn.exe –s MSSQLSvc/SQL1.domain.com:1433  domain\sqlsvc

4. Set Delegation property for sql service account

Select Trust this user for delegation to any service (Kerberos only)

5. From central admin I set kerberos authentication at Default Zone web applicaiton property (we have only one zone that is default)

*We are not using any other service like SSRS, EXcel, Perfomrance Point. Its just a simple default sharepoint web applicaiton

******************

Kerberos works for me but still I have lot of question in my mind.

My Questions:

1. I read lot of articles where they mention that we require to set WEB server, APP Server and SQL servers trust for delegation. I really dont understand this, why we require to set this if my app application pool, sql service account every thing is running with domain accounts. Do we need to set this?

2. Do we also require Central Admin on kerberos authentication. If we want to set for only web application.

3. At what case we have to use constrained Delegation.

Please help me on this. Really appreciate.

Regards

Gyan Shukla

GYAN SHUKLA