Tools and Techniques: Troubleshooting Kerberos in Excel Services and PowerPivot for SharePoint

I have troubleshot many Kerberos cases over the years and here are the best techniques and tools that I have used over the years.

1. Kerberos Event Logging:

Add the following registry value to each machine in the farm that receives Kerberos Traffic:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters

Registry Value: LogLevel
Value Type: REG_DWORD
Value Data: 1

To see the results, open Event Viewer > Windows Logs > System

You will now see Kerberos Errors in Event Viewer:

262177  How to enable Kerberos event logging
http://support.microsoft.com/default.aspx?scid=kb;EN-US;262177

2. DHCheck (DoubleHopCheck):

(Please visit the site to view this file)

This tool is great, it will inform you if the account is trusted for Delegation (Constrained), SPNs Registered to the Account, and SPNs the Account is Constrained too.  Oh, and most importantly Duplicate SPNs.

Distinguished name..............: CN=Account01,OU=SharePoint_Servers,OU=SharePoint_Enterprise,OU=Domain Servers,DC=AD,DC=Microsoft,DC=com
Account type....................: Computer
User Account control............: 16781344(DEC) 1001020(HEX)
Account Trusted for delegation..: False
Account sensitive for delegation: False
Constrained delegation is enabled for:
MSOLAPSvc.3/Server01:Insance
MSOLAPSvc.3/Server01.FQDN:Insance
Registered Service Principal Names:
HTTP/Server01
HTTP/Server01.FQDN
Duplicate SPN found: HTTP/Server01
Account01,CN=Account01,OU=Users01,OU=IT,OU=ABC,OU=AdminUnits,DC=,DC=Microsoft,DC=com
Account02,CN=Account02,OU=Users02,OU=IT,OU=123,OU=AdminUnits,DC=MSFT,DC=Microsoft,DC=com

To use this tool:

1. Rename the attachment from dhcheck.txt to dhcheck.vbs and save it on the Application Server (root of C:).

2. Open a command line window and browse to the same directory as dhcheck.vbs (root of C:) enter the below information into the command line and press enter.

cscript dhcheck.vbs Account1 Account2 Account 3> c:\temp\results.txt

*The accounts in Red will be the account running Excel Services, Claims to Windows Token Services, SSAS and/or SQL (any accounts you want to collect Delegation information on).