I ran across a useful utility that helps both in explaining and diagnosing Kerberos delegation setup.

The utility is really nicely done. You just put it on your web server, and then browse to the page. The good stuff is green and the errors are in red. The great thing is that it has in-line explanations of everything and additional steps to help fix the problem!

The utility is specifically targeted at showing whether delegation will work and explaining in detail why it might not. It also allows you to “add a backend” server to the test so that you can check whether the downstream system can be accessed via delegation.



There is also a really nice, in depth explanation of Service Principal Names (SPNs) here: