I'm looking for some help with setting up Kerberos authentication for my IIS website. Here's the situation: I'm running a website hosted on Windows, and it connects to an Oracle database. The users connecting to my site come from domain X, and they go through a load balancer to reach my website in domain Z. The tricky part is that domain Z trusts domain X, but not vice versa. I need to implement Kerberos instead of NTLM. I've been following a guide on how to set this up, but I'm unclear about whether I should create the service account in domain Z or domain X. Also, what are some good tips for troubleshooting Kerberos access?
2 Answers
For troubleshooting, check the Kerberos tickets using 'klist' on your client machine after trying to authenticate. Look at the event logs for any failures (Event ID 4771) on your Domain Controllers. Also, make sure the Service Principal Name (SPN) for your service account is correctly configured. The load balancer can complicate things since the SPN must align with what users are entering in the browser. Remember that with a one-way trust, users from domain X need to get a service ticket for the service in domain Z, which only works if the SPN is registered right.
I suggest you consider setting up a two-way trust between the domains. In my experience, it's usually better to have the IIS service account in the same domain as the server itself. This is one of the key differences between NTLM and Kerberos. With NTLM, a one-way trust is sufficient, but for Kerberos, that might not work as seamlessly. Just a thought!

Absolutely, and don’t forget to check how IAKerb and LocalKDC come into play—it might make things easier.