Kerberos, CNAME and SPN
In this post I want to shine some light on Kerberos authentication in combination with DNS CNAME records and what service principal names (SPN) effectively have to be set to work correctly. In a Windows environment a misconfiguration of Kerberos might be easily overlooked by an admin because Windows integrated authentication (WIA) simply switches to the NTLM (NT LAN Manager) protocol if Kerberos was not successfull and the single sign-on is transparent to the user. Only a network trace reveals what happened behind the scenes. ...