Over the years I've read dozens if not hundreds of blog posts about Kerberos and have always been left wondering.. what? And none of them have solved the cries of agony from Windows administrators and the "can't we just use NTLM?" crowd.

But today I found someone who actually understands the secret art of Kerberos on Windows! His name is Spencer Harbar and apparently he is a certified SharePoint Master, Microsoft's new certification for those with across-the-board understanding of SharePoint. His site is at http://www.harbar.net/ .

In truth, the key task in setting up Kerberos is understanding that your Kerberos settings should derive from your server and network topology design. Which users need access to which services?  Which system accounts are communicating with which servers? What authentication mechanisms are supported by the systems under consideration? Once you have established the answers to these kinds of questions, implementing the solution is little more than a few setspn.exe commands away. If these haven't been considered in your design, this is what needs addressing before fiddling with setspn.exe .

Anyway, if you'd like to read more I recommend reading his posts about Kerberos, Understanding and Configuring Kerberos for you SharePoint environment, and checking out some powerpoint decks, in particular Kerberos Part 1 - Best Practices Slide Deck and  Kerberos Part 2: The “Advanced” Scenarios .