Configuring Kerberos can be easy. Indeed, with favourable conditions and some preparation, the whole thing can be over in minutes. However, if hours later it still does not work, troubleshooting can take many days even with help of experts.
As you all know, real world implementations can deviate dramatically from lab scenarios considered in common whitepapers. What most resources usually cover is, at best, some step by step configuration instructions for a particular architecture. Such instructions often lack explanation of why it has to be done that way in terms of the role of every step in the authentication process, i.e. they do not explain principles, only give certain examples.
I would like to present easy to follow principles of Kerberos constrained delegation and protocol transition with handy tips and templates to get this right the first time for your particular environment. The goal is to explain the meaning of the settings in terms of the role in the Kerberos constrained delegation authentication rather than simply presenting another example of a particular scenario. I will also include a
jargon-busting glossary of terms to help you get started.
This presentation covers some very useful resources to help you tame your three-headed monster and make it behave in case it decides to go on a strop. I will also mention some useful tips and resources
on dealing with Claims To Windows Token services, an important part to Kerberos configuration. It plays a very important part in delegating authentication for services requiring protocol transition (Claims -> Windows), such as Excel Services, Performance Point and Power View.