Kerberos Authentication with Duet

Similar Messages

• Integrating Kerberos authentication with OBIEE

  Hi,
  Is it possible to integrate Kerberos authentication with OBIEE? If yes, how can that be done? Are there any documentation available?
  Thanks

  we can integrate with LDAP with the help of below link
  http://oraclebizint.wordpress.com/2007/10/10/oracle-bi-ee-101332-using-ldapoid-authentication/
  Regards
  Venkata

• Kerberos authentication with Active Directory

  I have tried using JAAS to authenticate to MS Active Directory and keep getting "javax.security.auth.login.LoginException: Pre-Authentication Information was invalid"
  I have tried authenticating with multiple user accounts and on three different realms (Active Directory domains).
  How do I need to format the username? I know that when using JNDI to access Active Directory I have to use the format "[email protected]" or the RDN. I have tried it both ways with JAAS kerberos authentication as well as with just the username by itself. I don't think that the username format is the problem though because if I set the account lockout policy to 5 failed attempts, sure enough my account will be locked out after running my code 5 times. If I give a username that doesn't exist in Active Directory I get the error "javax.security.auth.login.loginexception: Client not found in Kerberos database" Is there something special that I have to do to the password?
  I know that there is just something stupid that I'm missing. Here is the simplest example of code that I'm working with:
  import java.io.*;
  import javax.security.auth.callback.*;
  import javax.security.auth.login.*;
  import javax.security.auth.Subject;
  import com.sun.security.auth.callback.TextCallbackHandler;
  public class krb5ADLogin1 {
  public static void main(String[] args){
  LoginContext lc = null;
  try {
  lc=new LoginContext("krb5ADLogin1", new TextCallbackHandler());
  lc.login();
  catch(Exception e){
  e.printStackTrace();
  Here is my config file:
  krb5ADLogin1 {
  com.sun.security.auth.module.Krb5LoginModule required;
  The command I use to start the program is:
  java -Djava.security.krb5.realm=mydomain.com
  -Djava.security.krb5.kdc=DomainController.mydomain.com
  -Djava.security.auth.login.config=sample.conf krb5ADLogin1

  Hi there ... the Sun web site has the following snippet:
  http://java.sun.com/j2se/1.4/docs/guide/security/jgss/tutorials/Troubleshooting.html
  + javax.security.auth.login.LoginException: KrbException::
  Pre-authentication information was invalid (24) - Preauthentication failed
  Cause 1: The password entered is incorrect.
  Solution 1: Verify the password.
  Cause 2: If you are using the keytab to get the key (e.g., by
  setting the useKeyTab option to true in the Krb5LoginModule entry
  in the JAAS login configuration file), then the key might have
  changed since you updated the keytab.
  Solution 2: Consult your Kerberos documentation to generate a new
  keytab and use that keytab.
  Cause 3: Clock skew - If the time on the KDC and on the client
  differ significanlty (typically 5 minutes), this error can be
  returned.
  Solution 3: Synchronize the clocks (or have a system administrator
  do so).
  Good luck,
  -Derek

• Kerberos authentication with Apache Kerberos Module

  Hi,
  Using the Java GSS tutorials, I have been able to create code to successfully authenticate with our KDC server or from a local ticket cache.
  However, I have been unsuccessful in using the obtained credentials to perform client authentication with a web server running Apache using Kerberos for authentication (mod_kerberos).
  I have tried to use an SSLSocket to connect to the server, which works fine. To request a page that requires client side authentication, I have passed the necessary client headers, over the socket connection e.g.
  GET: http://www.myhost.com/protected_page.html
  HOST: www.myhost.com
  AUTHENTICATE: negotiate XXXXX
  However, I do not know what to put in place of XXXXX. Using some PHP code and Firefox, I have been able to observe what Firefox is passing to the web server to perform client side authentication. It is clearly passing a base64 encoded string, which is related to the cached Kerberos credentials.
  Can anyone tell me, how I can use Java and GSS to perform client side authentication with an Apache web server that is using the Kerberos authentication module? I know it is possible to do so using SPEGNO in a Windows environment, but this is a Linux/Unix environment, so it is not an option.
  Thanks for any help or advice,
  Neil.

  Here are your options:
  1) Configure Krb5LoginModule programmatically.
  If the environment variable KRB5CC_NAME points to the ticket cache location,
  (which is updated each time), you can configure the Krb5LoginModule
  programmatically and set the "ticketCache" option to the value obtained
  from KRB5CC_NAME.
  Refer to following docs for details:
  http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/LoginConfigFile.html
  http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/Configuration.html
  http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/AppConfigurationEntry.html
  2) Use native Kerberos from the platform
  Java SE 6 provides support for native GSS/Kerberos on Solaris/Linux platforms.
  NOTE: If native GSS/Kerberos on your platform does not have support for SPNEGO,
  you will not be able to use this option.
  For details refer to following docs:
  http://download.java.net/jdk6/docs/technotes/guides/security/jgss/jgss-features.html
  Seema

• Portal Drive Single Sign On and Kerberos Authentication

  Hi,
  We are using NW2004s SP10 Portal and we have successfully configured Kerberos authentication with Windows Active Directory 2003. To access the KM Content in windows explorer format, we are using Portal Drive but Portal Drive still asks for authentication i.e. SSO is not working for Portal Drive. I have understood from the forums and sap help site that SSO from portal drive will work only for NTLM authentication and client certificates. Can you please help regarding below questions.
  1. Can Kerberos and NTLM authentication be configured together.
  2. If yes, what are the steps to configure NTLM authentication for NW2004s SAP Portal and Active Directory 2003.
  3. Any other approach to make Portal Drive SSO work.
  Helpful answers will be rewarded.
  Regards,
  Chandra

  Hi Gregor,
  I did two things:
  first i made a change in the portalapp.xml in the PAR file "com.sap.km.cm.par". In the section authentication scheme for "docs" I changed the authentication scheme to "default" to make sure that documents are opened using the default authentication scheme (SPNego) instead of basic authentication
  second, I used the SPNego wizard to configure SPNego. So I didn't adjust anything in the Visual Admin or the authentication template apart from adding the Template to the Ticket policy configuration.
  Again, this only worked after installing the latest vesion.
  Hope this helps
  Marcel

• Safari on Windows - Kerberos Authentication

  Am facing issues with Kerberos authentication with Safari on windows. IE, Chrome and FF works. Compared the wireshark traces and found that kerberos request made by IE, chrome etc is for server name : HTTP/myappname, while the same for Safari is krbtgt/diffdomain. Safari request for krbtgt/diffdomain fails with unknown principal name error. Seems to be Safari not reusing the TGT and trying to get a new TGT and that too for a different domain. Any thoughts please?

  Hi.
  Read here  >  Apple apparently kills Windows PC support in Safari 6.0
  Use Chrome, IE or Firefox.

• Windowns dll file for Kerberos Authentication

  Hi,
  I am implementing Kerberos Authentication with Windows x64. The SAP Post installation guide metions that gx64krb5.dll file needs to copied under <Drive>:\%windir%\system32. It also metions that the file need to be downloaded from SAP Note 352295,.But "An SAP note with the number requested could not be found". Any other place from where I can download the file.
  Regards
  Deb

  Okay, I found my PDF copy of [Note 352295|https://websmp230.sap-ag.de/sap(bD1lbiZjPTAwMQ==)/bc/bsp/spn/sapnotes/index2.htm?numm=352295], and it contains the links to download the files from sapnet for both 64 and 32 bit.
  Here is the link for the 64 bit:
  https://service.sap.com/~sapidb/012003146900000310652008E/win64sso.zip
  And just in case anyone reading this thread needs to get to the 32 bit:
  https://service.sap.com/~sapidb/012003146900000310642008E/win32sso.zip

• Kerberos Authentication between Sharepoint 2013 Foundation - SSRS 2012 - Oracle 11g failing with ORA-12638: Credential retrieval failed

  I have set up SharePoint 2013 Foundation, SharePoint Reporting Services and SQL Server 2012 in a single server. I then created a Data Connection to Oracle 11g. Upon testing the connection, it throws the error “ORA-12638: Credential retrieval failed”.
  Given below are the steps of installation and configuration.
  Installation till basic authentication:
  The installation has been done in a
  single server.
  Installed SQL Server 2012 (Developer version).
  Selected only the following features:
  Database Engine Services
  Analysis Services
  Reporting Services – SharePoint
  Reporting Services Add-in for SharePoint Products
  Management Tools – Basic
  - Management Tools - Complete
    2. Installed SQL Server 2012 SP1.
    3. Installed SQL Server 2012 SP2.
    4. Installed SharePoint Foundation 2013.
    5. Created web application (without Kerberos; we did not even create the SPNs).
        The application pool has been configured to use Reporting Services account since it is a single server installation. This account has been registered as a managed
  account.
    6. Created Site Collection.
    7. Verified that Reporting Services is not installed.
    8. Installed SharePoint Reporting Services from SharePoint 2013 Management Shell.
    9. Verified that Reporting Services is installed.
   10. Created a new SQL Server Reporting Services Service Application and associated the Web Application to the new SQL server Reporting Services Service Application.
    11. Verified that SQL Server Reporting Services Service Application and its proxy have started. Reset IIS.
    12. Created a Site.
    13. Created a Data Connection library with “Report Data Source” content type.
    14. Created a Report Model library with “Report Builder Model” content type.
    15. Created a Report library with “Report Builder Report” content type.
    16. Uploaded an SMDL to the Report Model library.
    17. Added the top level site to Local Intranet instead of as a Trusted Site in the browser settings.
    18. Able to create and save a report using Report Builder.
  Hence, basic authentication is working and SSRS is able to connect to Oracle database.
  Next we have to configure Kerberos settings between SharePoint and SQL Server.
  Implementation of Kerberos authentication
  In the Report Server machine, opened the file C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\WebServices\Reporting\rsreportserver.config  and added the Authentication Types of RSWindowsNegotiate
  and RSWindowsKerberos.
   2.  Set up the following SPNs.
                 a) SQL Server Database Engine service (sqlDbSrv2):
                  setspn -S MSSQLSvc/CER1110:1433 CERDEMO\sqlDbSrv2
                  setspn -S MSSQLSvc/CER1110.cer.demo.com:1433 CERDEMO\sqlDbSrv2
               In the Delegation tab of the account, selected "Trust this user for delegation to any service (Kerberos only)".
  b) Account: SharePoint Setup Admin account (spAdmin2)
       setspn -S HTTP/CER1110:9999 CERDEMO\spAdmin2
                  setspn -S HTTP/CER1110.cer.demo.com:9999 CERDEMO\spAdmin2
                  In the Delegation tab of the account, selected "Trust this user for delegation to any  service
  (Kerberos only)".
  c) Account: SQL Server Reporting Service account (sqlRepSrv2)
                     setspn -S HTTP/CER1110 CERDEMO\sqlRepSrv2
                     setspn -S HTTP/CER1110.cer.demo.com CERDEMO\sqlRepSrv2
                     In the Delegation tab of the account, selected "Trust this user for delegation to any service
  (Kerberos only)".
    3. Configure the Web Application to use “Negotiate (Kerberos)”.
    4. Logged in as SharePoint Administrator to the SharePoint server and opened the top level site in the IE browser.
       The Event Viewer logged the login process for the SharePoint Administration account as
  Negotiate and not Kerberos.
    5. Implemented Kerberos for Oracle database and client.
       Able to connect to the Oracle database via Kerberos authentication using SQL Plus.
    6. Turn on Windows Firewall.
    7. While testing the site's data connection using Kerberos settings, got the error
  “Can not convert claims identity to windows token. This may be due to user not logging in using windows credentials.”
        Note: The Data Connection for basic authentication still worked.
    8. Created a Claims to Windows Token Service account (spC2WTS2).
    9. Started the Claims to Windows Token Service.
   10. Registered the Claims to Windows Token Service account as a Managed Account.
   11. Changed the Claims To Windows Token Service to use the above managed account.
   12. Verified that the Claims to Windows Token Service account (spC2WTS2) is automatically added to the WSS_WPG local group on the SharePoint box.
        Note: The Reporting Services service account is also a part of the WSS_WPG local group.
   13. Added the Claims to Windows Token Service account (spC2WTS2) to the Local Admin Group on the machine having the SharePoint App Server.
   14. In the SharePoint box, added the Claims to Windows Token Service account (spC2WTS2) in the Act as part of the operating system policy right.
   15. The Claims to Windows Token Service account (spC2WTS2) has the WSS_WPG group configured.
        When the C2WTS service was configured to use the managed account Claims to Windows Token Service account (spC2WTS2) earlier, the spC2WTS2 account was automatically
  added to the WSS_WPG local group on the SharePoint box. The WSS_WPG group in turn is configured in c2wtshost.exe.config file.
   16. Verified that the Reporting Services account is a managed account and part of the WSS_WPG group.
   17. Earlier Service Application Pool - SQL Server Reporting Services App Pool service was associated with the SharePoint Admin account.
        Changed this to associate the Reporting Service account with the Service Application Pool - SQL Server Reporting Services App Pool service.
   18. Changed the delegation of the Reporting Service account to constrained delegation with Protocol Transitioning. This is because we are transitioning from one authentication scheme (Claims) to another (Windows Token).
        For this, the delegation has been changed to "Trust this user for delegation to specified services only". Also, selected the sub radio button "Use
  any authentication protocol". Selected the Oracle Kerberos service as the service to which this account can present delegated credentials.
        Note: The Reporting Service account already had an HTTP SPN.
   19. Next, the goal was to make the Claims To Windows Token Service account match the Reporting Service account.
         For this, we created a fake SPN for the Claims To Windows Token Service account since the delegation tab was missing.
         The delegation has been changed to "Trust this user for delegation to specified services only". Also, selected the sub radio button "Use any
  authentication protocol". Selected the Oracle Kerberos service as the service to which this account can present delegated credentials.
   20. Restarted the SharePoint server.
   21. Tested the data connection with the Kerberos settings again.
         Got the error
  “ORA-12638: Credential retrieval failed”.
  Can anyone tell me what is wrong with this setup?

  http://www.freeoraclehelp.com/2011/10/kerberos-authentication-for-oracle.html
  Problem4: ORA-12638: Credential retrieval failed
  Solution:  Make sure that SQLNET.KERBEROS5_CC_NAME is set in sqlnet.ora and okinit has been run before attempting to connect to the database.
  Do check 
  http://webcache.googleusercontent.com/search?q=cache:5a2Pf3FH7vkJ:externaltable.blogspot.com/2012/06/kerberos-authentication-and-proxy-users.html+&cd=5&hl=en&ct=clnk&gl=in
  If this helped you resolve your issue, please mark it Answered. You can reach me through http://itfreesupport.com/

• Windows AD with Kerberos authentication not supported for NW AS JAVA 7.1

  The Admin guide for BO 3.1 states that Windows AD with Kerberos authentication is not supported on NetWeaver AS.
  Can anybody suggest & confirm on this???

  I know we haven't been receiving cases for it, but I think in theory it should work fine. BO doesn't really care what web/app kerberos comes from as the manual authentication uses the java SDK (i.e tomcat 5.5 would use Sun JDK 1.5), and SSO kerberos (vintela) uses 3rd party libraries. It's possible our 3rd party libraries may not support netweaver yet. If I hear anything else I'll post.
  Regards,
  Tim

• How to setup Oracle OCI Driver with Kerberos Authentication in Eclipse

  Hello I am trying to setup a connection to Oracle Server with kerberos authentication.
  I am able to connect using SQL Developer but it seems impossible to do the same through the eclipse plugin any pointers?

  Currently there is no support for Kerberos authentication on OEPE DB support. I'll open an enhancement request.

• Remote PowerShell Connection to Lync Server With Kerberos authentication Fails

  Hi everyone ,
  Remote PowerShell to Lync Server With Kerberos authentication Fails .. Is there any reason for not being able to connect when authentication specified as Kerberos . But exactly same code works when Authentication is specified as "Negotiate"
  E.g :
  Error -
  $session=New-PSSession -ConfigurationName Microsoft.Powershell -ConnectionUri https://serverName.lync.com/ocspowershell/ -Credential $cred -Authentication Kerberos
  [serverName.lync.com] Connecting to remote server failed with the following error message : The WinRM client cannot process the request. The authentication mechanism requested by the client is not supported by the server or unencrypted traffic is disabled in
  the service configuration. Verify the unencrypted traffic setting in the service configuration or specify one of the authentication mechanisms supported by the server.  To use Kerberos, specify the computer name as the remote destination. Also verify
  that the client computer and the destination computer are joined to a domain.To use Basic, specify the computer name as the remote destination, specify Basic authentication and provide user name and password. Possible authentication mechanisms reported by
  server:   Digest Negotiate For more information, see the about_Remote_Troubleshooting Help topic.
      + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [], PSRemotingTransportExc
     eption
      + FullyQualifiedErrorId : PSSessionOpenFailed
  Works  -
  $session=New-PSSession -ConfigurationName Microsoft.Powershell -ConnectionUri https://serverName.lync.com/ocspowershell/ -Credential $cred -Authentication Negotiate

  Hi,
  Please double check if Windows Update is the latest version, if not, please update and then test again.
  Please also ensure that the workstation you are using has network access to the Certificate Authority that signed the certificate.
  Best Regards,
  Eason Huang
  Eason Huang
  TechNet Community Support

• Kerberos Authentication - more than one user with same sAMAccountName

  I am configuring Kerberos Authentication on SAP AS Java. The single-domain SSO is done and working. Now I need to configure multiple domains in a domain forest. How to resolve issue regarding multiple users with same account ID (same sAMAccountName) under different domains?

  We thought about using the userprincipalname, but decided against it once we had the realization that if SPNego failed for any reason, and the user had to logon manually, they would not know their userprincipalname.  This was a wise decision, as SPNego does fail for a variety of reasons.  The most common is that there appears to be a 1-2 day timeout of the Kerberos ticket, and if a user leaves their computer on for that long, it will challenge them to logon manually.
  Andrew Castillo

• Exchange Management Console couldn't start with Kerberos authentication failed

  When I was making changes to Client Access\owa settings, chaning from Basic authentication to Form authentication (upn name) then changed to Basic again. It was ok after changing to Form authentication but moment after changing back to Basic, I couldn't
  no longer access owa (blank page when one vertical line) and in Exchange Management Console, I got "Initialization failed" - The following error occured while attempting to connect to the specified Exchange server 'sgp-ex1.mydomain.com':
  The attempt to connect to http://sgp-ex1.mydomain.com/powershell using "Kerberos" authentication failed: Connecting to the remote server failed with the following error message: The WinRM client cannto process
  the request. It cannot determine the content type of the HTTP response from the destination computer. The content type is absent or invalid. For more information, see the about_Remote_Troubleshooting Help topic.
  I tried the troubleshooting tool from Exchange team blog:
  http://blogs.technet.com/b/exchange/archive/2010/12/07/3411644.aspx. It give 3 possible causes for this error: 1. WSMan module entry is missing from global module section of c:\Windows\System32\InetSrv\Config\ApplicationHost.config; 2. Kerbauth module shows
  up as Managed module or has been loaded in the Default Web Site Level; 3. The Path of the Powershell virtual directory has been modified.
  I checked carefully, all the 3 causes do not apply to my situation as WSman entry is in order, the Kerbauth is native and local and the path of Powershell virtual directory is correct.
  I find that in Application log, there are Event 2297 and 2307 dumped at the time of failure:
  The worker process for application pool 'MSExchangeSyncAppPool' encountered an error 'Confiugration file in not well-formed XML' trying to read configuration data from file '\\?\C:\inetpubl\temp\apppools\MSExchangeSyncAppPool\MSExchangeSyncAppPool.config',
  line number '2'. The data field contains the error code.
  Help is very much appreciated.
  Valuable skills are not learned, learned skills aren't valuable.

  Unfortunately, all the links you provided didn't help.
  The first link contains 3 methods:1 Removing WinRM feature and reinstalling. 2 Rename the web.config file in location C:\inetpub\wwwroot 3 Have you installed Microsoft Dynamics CRM 4. I?
  As my server is Windows 2008 R2, the first method does not apply. I couldn't find any web.config in c:\Inetpub\wwwroot. The web.config however is found in many times in .netframework and winsxs directories. The 3rd method doesn't apply as I don't have CRM.
  The 2nd link contains 3 possible causes. The first 2 are the same as the ones I mentioned in my initial post. I couldn't verify the last cause because when open Exchange Management Shell, I got this error: [sgp.ex1.mydomain.com] connecting to remote server
  failed with the following server failed with the following error message: The WinRM client cannot process the request, it cannot determine the content type of the HTTP response from the destination computer. The content type is absent or invalide. For more
  information, see the about_Remote_Troubleshooting Help topic.
  I do not think the user is not remote powershell enabled because the problem happened suddenly, while I was making changes to Authentication settings of OWA(default) in Client Access in Exchange Management Console. If the user account is not remote powershell
  enabled, then I couldn't event connect to EMC in the first place.
  The last link didn't help because I could open up modules under PowerShell virtual directory in IIS.
  I think since the event log is saying MSExchangeSyncAppPool.config and DefaultAppPool.config not well-formed XML, that might be a clue.
  In the event id 2307 this is the message:
  The worker process for application pool 'DefaultAppPool' encountered an error 'Configuration file is not well-formed XML
  ' trying to read configuration data from file '\\?\C:\inetpub\temp\apppools\DefaultAppPool\DefaultAppPool.config', line number '2'.  The data field contains the error code.
  Valuable skills are not learned, learned skills aren't valuable.

• PS remoting with Kerberos authenticated sites

  Hi everyone,
  I was looking at the fabulous PowerShell Remoting feature and had it functional on a Windows 2003 server. Really cool !
  Then I tried to activated it on a Windows 2008 R2 with Sharepoint 2010 configured with Kerberos authenticated sites. Fail.
  It seems that WinRM needs an SPN HTTP for the machine name itself whereas If I do that, I'll get stuck with duplicate SPNs (Application pool service account already has a HTTP SPN). I tried removing the service account SPN and create the machine SPN and then
  it works.
  So my question is in the title :
  How are you supposed to configure PS Remoting with an already Kerberos-authentication website configured without having SPN duplicate issues ?
  Thanks!
  Wes

  Quick update on this as I have more infos.
  The DNS workaround you mention fsocas is in the case that WinRM (or enable-PSRemote) is actually working and running.
  In my case, it's not the case because WinRM isn't able to "activate" the listener, it will trigger a security error before doing it.
  For your case fsocas, I suppose you could just use this method to make it work :
  On your machine (from which you ps-remote):
  Set-Item WSMAN:\localhost\Client\TrustedHosts -value 'ip address of the server'
  So here's the complete scenario I have.
  SharePoint 2010 server with Central admin running on it using this url :
  http://name-of-the-server:8080
  This url uses an application pool running under a domain account (let's call him domain\mycentraladmin)
  To setup Kerberos, I added the corresponding SPNs to the domain account of the application pool (domain\mycentraladmin) :
   - HTTP\name-of-the-server
   - HTTP\name-of-the-server.domain.org
   - HTTP\name-of-the-server:8080
   - HTTP\name-of-the-server.domain.org:8080
  So the Central admin site uses Kerberos for authentication. Everything works.
  Running "Enable-PSRemoting -force" wll fail with this error :
  Set-WSManQuickConfig : WinRM cannot process the request. The following error occured while using Negotiate authenticati
  on: An unknown security error occurred.
  or more specifically (using winrm command directly)
  Error number: -2144108387 0x8033809D
  An unknown security error occurred.
  So, since WinRM seems to check for a HTTP SPN set on the computer object (HTTP\name-of-the-server), it will always fail because it will find the HTTP SPN but not set on the computer object. Thus, it cannot authenticate using Kerberos and just fails.
  To have a proper configuration, I found out an interesting fact :
  http://blogs.dirteam.com/blogs/tomek/archive/2009/12/20/kerberos-a-sprawa-portu.aspx
  Internet Explorer only checks for a HTTP SPN on the default HTTP port (80). To force him to check the HTTP SPN with the port, you need to add a specific registry key.
  Here's my simple Powershell script for this:
  $Reg_Key = "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_INCLUDE_PORT_IN_SPN_KB908209"
  New-item -type Directory $Reg_Key
  New-ItemProperty -Path $Reg_Key -Name "iexplore.exe" -value "1" -propertytype dword
  Note that this needs to be done on the client side (your machine).
  Now, I modified the SPN configuration. It now looks like :
  - HTTP\name-of-the-server:8080
  - HTTP\name-of-the-server.domain.org:8080
  I remove the default HTTP SPNs (which were necessary before applying the registry key to connect by Kerberos on the Central admin). But with the registry key in place, I'm able to log on to the Central admin with Kerberos.
  With this working, I went on the server and triggered the cmdlet "Enable-PSRemoting -force". Success :)
  Et voilà ! A nice setup without any dirty workaround.

• BO XI Release 2 - NLTM versus Kerberos Authentication

  Hello,
  I have some problem with Authentication. At first time I set up only in CMS Kerberos Authentication, but now I would like to change it to NLTM, but if I clear the Use Kerberos authentication and I mark off Use NTLM authentication and I set up update, it doesn´t work.
  Authentication Options
  Use NTLM authentication 
  Use Kerberos authentication
           Cache security context (required for SSO to database) 
         Service principal name:  
  Thank you very much for your answer,
  unhappy:( Marika

  You can set up kerberos for both, it's required for java. .net will support both kerberos and NTLM although unless you are trying to delegate credentials all the way to your DB, then it usually isn't desired in .net because the configuration is far more complex
  You can simple look at your logon url to figure out if you are hitting IIS (urls end in aspx and no port #) or tomcat(urls end in .do and port 8080).
  Regards,
  Tim