DelegConfig v2 beta (Delegation / Kerberos Configuration Tool) : Download : The Official Microsoft IIS Site
I just love the main screen of this tool! Kerberos can be scary and misunderstood (kinda like referees!)
“
Introduction
DON'T RUSH!!! You are not so smart that you should skip over reading the following. I like to skip over documentation just as much as the next person. But for your own benefit please read this information (usage tips and features). If you are not aware of everything this tool can do, you will add unnecessary confusion and work to your already frustrating experience of getting Kerberos and Delegation to function properly.
Usage Tips
READ what the report tells you - If I had a penny for every time somebody asked me what the report ALREADY SAYS I would be rich. Okay, maybe not rich, but I'd have a lot of pennies.
Start by using the report locally from the web server - You should still use the same URL that you plan on using remotely. However, certain types of authentication problems will occur only if your connection is using Kerberos and there is something misconfigured. Using this tool from a browser instance local to the server will avoid those types of problems since in most cases local requests use NTLM.
Next, use the report from a remote client - One important check that is performed is whether or not your browser has actually connected to the web service using Kerberos. If you always make your requests from the web server itself, you will likely always see a "Negotiate with NTLM" connection with a red "x" next to it (and red icons usually bother people). A second important piece of information revolves around name resolution of the client. If your requests are always from the server, how can we see what the client thinks?
Lastly, click any "Fix This" buttons locally from the server - There will be "Fix This" buttons that appear that will allow you to make the exact changes that you need to get things working. But just like any other web application, this application is at the mercy of the whole double-hop concept. The most relevant types of changes this tool can make are Trust settings and ServicePrincipalName settings which are both stored in Active Directory. If you try to make changes to these settings (i.e. you click the fixThis buttons) from a remote browser instance it will likely fail because of the failed double-hop from browser-to-WebServer then webServer-to-ActiveDirectory.
Pages
/Set/SPNs.aspx - Allows adding and removing of ServicePrincipalNames
/Set/Delegation.aspx - Allows changing Trust for Delegation settings.
/Set/Providers.aspx - Allows correcting of inadequate NTAuthenticationProviders settings.
/Report.aspx - Gives a picture of what is right and what is wrong.
/Wizard.aspx - A set of wizard steps that supports adding more tiers to /Report.aspx.
/Test.aspx - Allows double-hop tests for webServer-to-Sql or webServer-to-File server or webServer-to-webServer
“
Comments
Anonymous
November 17, 2010
The comment has been removedAnonymous
March 08, 2011
The comment has been removedAnonymous
May 30, 2011
The comment has been removedAnonymous
June 20, 2011
Make sure the client machines have .NET 2.0 SP2 installed; the servers send some javascript that's running on the client, and that's where the error is coming from.Anonymous
July 14, 2011
My server is running .NET 3.5 (2008 R2) and i'm having the same issue. I've also tried running the appPool in Classic Mode but not joy. Is there any other ideas out there?Anonymous
August 24, 2011
The comment has been removedAnonymous
March 18, 2013
The comment has been removedAnonymous
March 12, 2014
The error message is related to DispHTMLObjectElement which doesn’t support the GetResolved method. Is there any possibility to get the source code of DelegConfig v2 beta ?Anonymous
September 04, 2015
Get resolved this by running the Wizard (Wizard.aspx).