Continuing on from the last post, Kerberos can enable the applications you're working on to integrate with your active directory. The benefits of this is that the user can use a single signon (ie: their active directory login) to access your system. Furthermore you can leverage SQL Server security roles and permissions to secure access to your data.
Depending on how your network's setup, it's not always a cakewalk. One of the most important steps, which has tripped me up has been to properly register the SPN (Service Principal Names). This can happen automatically if your services (SQL, IIS) run under the local system account, but if not you're going to have to roll up your sleeves and use setspn.
The setspn utility allows you to manage SPNs on your network. To get the 2 hop scenario working from the last post, where the IIS service runs as domain\httpservice, and the sql service as domain\sqlservice, you're going to have to register a couple of spns.
Actually you'll have to register two - one for the NetBIOS name, the other for the fully qualified domain name (FQDN). They'll look a bit like this:
setspn -a http/webserver domain\httpservice
setspn -a http/webserver.domain.com.au domain\httpservice
setspn -a MSSQLSvc/sqlserver:1433 domain\sqlservice
setspn -a MSSQLSvc/sqlserver.com.au:1433 domain\sqlservice
You'll note that for the sql server I've had to append a :portnumber to the end of the address. By default Sql listens on port 1433, however if you're running a number of named instances or have dynamic ports enabled, you'll have to do a bit of investigation work.
If you're running static ports for your named instances, you can throw in that port number where I've entered 1433. If you're running dynamic ports, you'll want to consider moving to static ones. In fact, you should probably set it to use static ports on your network anyway if not for the sake of consistency.
You can do this by opening up Sql Server Configuration Manager and navigating to: Sql Server 2005 Network Configuration -> Protocols for <Named Instance> -> TCP/IP (ensure it's enabled) -> IP Addresses Tab -> IP All section, and then blank out any entries in "TCP Dynamic Ports", and enter in your static port in the "TCP Port" field.
When you get kerberos to work, it works great and pays of large dividends. Although a lot of this stuff can be seen as a job for the network admin, I feel that as developers we should at least have an understanding on what happens behind the smoke & mirrors of the network. For me it's definately helped out and taken away a lot of the guesswork & frustrations of "Why the *&!$ isn't it working?"
If you're interested in finding out more about Kerberos, I highly recommend this webcast.