Frequently I see customers trying to verify if their Kerberos settings (http://bit.ly/QOEvLF) are truly working or not. In the past we’ve used tools such as NetMon, Kerbtray, Klist, and others to verify this however, recently I found a very simple way to test if Kerberos auth is working or not using Fiddler – a very common utility that many admins already have loaded on their client machines. Here are the steps:
If you were expecting to see YII and see TlR instead, please take a look at my other blog posting (http://bit.ly/QOEvLF) covering the setup and configuration of SPN’s and Active Directory properties to allow for proper Kerberos authentication. Also, once Kerberos is functioning I recommend taking advantage of IIS’s AuthPersistNonNTLM setting to reduce the number of 401 challenges – this is also covered in the Kerberos blog posting under section 3.1.
If you want to keep in touch with our team you can follow us here (http://blogs.msdn.com/CRMInTheField) as well as on Twitter, if you have a Microsoft Premier support contract and wish to work with a member of our team ask your TAM about the PFE offerings we have for Dynamics CRM, and if you want to connect with us at conferences we can be found speaking and attending Dynamics Convergence. We’ll keep any other events or opportunities to connect up to date here and on Twitter.
You can also look under inspectors again and then select 'Auth' and this will show you either Kerberos or NTLM authentication very clearly.
Great tip @Gavin - thanks!
I have had various occasions when having Fiddler on changes the way Kerberos is functioning ...
For instance, with Fiddler open it looks like Internet Explorer is sending a Kerberos ticket with every request, even after AuthPersistNonNTLM is set ... in fact with Fiddler open it does do that. But with Fiddler closed, it does not.
I was able to verify this with a "netsh trace" both with Fiddler open and again with it closed.
Also in some scenarios Kerberos outright fails when Fiddler is running, but works otherwise. Again verified with a "netsh trace"
All of these problems were with IE... chrome didn't seem to care if Fiddler was running or not.
I guess it has something to do with how Fiddler inserts itself as a proxy. Not sure why IE is the only one that cares. Anyway your users might want to double check "kerberos failures" using a less intrusive system. Just thought I'd mention it ...
Try enabling Rules -> Automatically Authenticate.
It worked in my case.
As far as I know, IE is the only browser that supports Kerberos. Other browsers support NTLM or basic.
At the time or writing (Jan 2015) Chrome would use NTLM as it does not support Kerberos
Fergus, I'm afraid you're incorrect. Firefox and Chrome(ium) support Kerberos via SPNEGO.
Not by default, but the configuration for both browsers is pretty straightforward - you simply need to define the sites trusted for auth.