Frequently I see customers trying to verify if their Kerberos settings ( are truly working or not.  In the past we’ve used tools such as NetMon, Kerbtray, Klist, and others to verify this however, recently I found a very simple way to test if Kerberos auth is working or not using Fiddler – a very common utility that many admins already have loaded on their client machines. Here are the steps:

  1. Download and install fiddler on the client machine:
    • This test process only applies to machines external to the servers hosting the services.  In the case of CRM, you would run fiddler from a client machine and not from a CRM or SQL Server.
  2. Open Fiddler on the client and start collecting data (Fiddler starts collecting by default)
    • If you have SSL enabled (HTTPS) on the website your testing make sure to enable Fiddler to Decrypt SSL, this can be done by clicking the Tools Menu, then Fiddler Options, then click the HTTPS tab, then select the “Decrypt HTTPS Traffic” checkbox.
  3. Access the site you wish to test (your CRM site), make sure you’re using the website alias or the way users will access your site. 
  4. In the left hand pane of Fiddler, which show’s all the requests, find one of the first successful (200) requests to the server in question and click on that request.
  5. In the upper right hand pane of Fiddler click on the Inspectors tab, then in the “Request Headers” area click on the “Headers” option as show below.
    • image_thumb2
  6. Within the “Request Headers” box look specifically for the “Cookies / Login” section of the headers, it is in this area you’ll see the Authorization. You should see one of two patterns that will tell you if you’re communicating with Kerberos authorization or not. If you see the Authorization token begin with “YII” Kerberos is functioning, if you see “TlR” then Kerberos did not function – here are images of each scenario:
    • Kerberos working: image_thumb5
    • Kerberos not working: image_thumb16

If you were expecting to see YII and see TlR instead, please take a look at my other blog posting ( covering the setup and configuration of SPN’s and Active Directory properties to allow for proper Kerberos authentication. Also, once Kerberos is functioning I recommend taking advantage of IIS’s AuthPersistNonNTLM setting to reduce the number of 401 challenges – this is also covered in the Kerberos blog posting under section 3.1.

If you want to keep in touch with our team you can follow us here ( as well as on Twitter, if you have a Microsoft Premier support contract and wish to work with a member of our team ask your TAM about the PFE offerings we have for Dynamics CRM, and if you want to connect with us at conferences we can be found speaking and attending Dynamics Convergence. We’ll keep any other events or opportunities to connect up to date here and on Twitter.


Sean McNellis