Steps To Setup Kerberos For Windows Authentication

• Open Command prompt in Administrator mode.
• Execute the following command on it to add Service Principal Name (SPN) for the account
setspn -a HTTP/## Server FQDN ## ## Domain Service Account ## Example: C:\Users\Administrator> setspn -A HTTP/mini.example.com gpadmin
Note: "mini.exmaple.com" here is FQDN. Make sure it's resolvable on the Windows server running AD service.

• Open Active Directory Users and Computers.
• Search for the service account which was used to create the Service Principal Name (SPN).
• Navigate to the Delegation tab.
• Select Trust this user for delegation to any service (Kerberos only).
• Click Apply.
• Open up IIS Manager.
• Select the site which you want to apply Windows Authentication to.
• Select the Application Pool for that website. Right click on it and select Advanced Settings.
• Use Custom Account and set the account as the service account for which delegation was enabled. You would need to enter the password of the service account as well.
• Navigate to the Authentication section for the website.
• Enable Windows Authentication and disable Anonymous Authentication.(Both cannot work simultaneously)
• Go to the Configuration Editor.
• Search for: system.webServer/security/authentication/windowsAuthentication
• Set useKernelMode as False and useAppPoolCredentials as True in the Configuration editor.
• Click Apply.
• Restart IIS server.