6 Tips for Troubleshooting Kerberos-Enabled Applications

This chapter lists tips for troubleshooting Kerberos-enabled applications

The tips are as follows:

Web applications that are accessed through the Mobile Security Access Server must be configured for Kerberos with a Service Principal Name (SPN) for each application server that is accessed by an alias instead of its host name.

For example, if hostname is bmax1.oracle.internal but is accessed as http://sharepoint.oracle.internal, the SPN must be http://sharepoint. Additional certificate requirements apply for the Mobile Security Access Server certificate.

From a machine within the domain of the application server (Mobile Security Access Server can be used if it is joined to the same domain):
1. Open a command window.
2. At the command-line prompt, type:
```
setspn  -l customer_application_hostname
```
3. Verify that there is an SPN for the URL the device is trying to access
4. If the SPN is missing, then type:
```
setspn -a customer_application_hostname
```
5. Verify the SPN by typing:
```
setspn  -l customer_application_hostname
```
IIS applications such as SharePoint must be configured for Negotiate authentication, which can be followed by NTLM authentication if desired.
IIS applications use an application pool with an application-pool identity. This pool cannot be a local account on the web server. Typically, it can be set to a built-in account of NETWORK that has permission to access the Active Directory for authentication. When a service account is used for the pool identity, ensure that the account has permission to access and authenticate to Active Directory.
1. Ensure that the authentication provider is set to Negotiate.
2. Ensure that Windows authentication is set.
3. Ensure that Anonymous User is NOT set.
  Note:
  
  The following commands are useful to debug network issues with Wireshark:
  1. In display filter, type:
```
kerberos
```
  2. In display filter, type:
```
ntlmssp
```
  3. In display filter, type:
```
http
```