IT:AD:Infrastructure:Security:Kerberos:HowTo:Enable Kerberos
#### On the Domain Controller ####
- Click Start, point to Programs, click Administrative Tools, and then click Active Directory Users and Computers.
- Under Computers Organizational Unit, click to select the name of the IIS server.
- Right-click the server name, and then click Properties to open the computer properties for the IIS computer.
- On the General tab, click to select Trust Computer for Delegation, and then click Apply.
- NOTE: Enabling your IIS server for delegation does introduce possible security concerns, as noted in the warning on the General tab. This delegation permits services that run in the context of the system account to request information from remote services. This is enabled because Kerberos is a mutual authentication protocol, that is, it verifies the client and server credentials.
#### Test FQDN name resolution on IIS####
For Kerberos to work, all communication must use a fully qualified domain name (FQDN). To make sure that IIS can be reached with an FQDN, follow these steps: On the domain controller, open a command prompt. To do this, click Start, click Run, type CMD, and then click OK. At the command prompt, type ping fqdn, and then press ENTER. For example: ping webserver01.mydomain.ms.local If the operation is successful, the system replies with a readout that states that the system successfully communicated during all 5 attempts.
If these steps do not work (that is, if the ping operation is unsuccessful), use the articles that are listed in the “References” section to troubleshoot network Domain Name System (DNS) issues. For Kerberos to work as designed, DNS resolution must be working correctly on your network.