Yet another post to remind myself just in case I forgot... again.

Troubleshooting Kerberos authentication is a pain. 

Rules of thumb:

"Thou shalt not have more than one service account delegating for the same service to the same server at one one time."

"If thou has ever find thyself in need to violate rule #1, consider assigning the SPN ONLY to the server account itself."

Say you have Server1 and Server2 which belong to domain DOMAIN and ServiceAccount1 and ServiceAccount2 which need to do HTTP delegation.

See the following scenarios:

Forbidden (2 service accounts are mapped to delegate HTTP service on the same server):

HTTP/Server1 DOMAIN\ServiceAccount1
HTTP/Server1 DOMAIN\ServiceAccount2

Allowed (1 service accounts mapped to delegate HTTP service on 2 different servers):

HTTP/Server1 DOMAIN\ServiceAccount1
HTTP/Server2 DOMAIN\ServiceAccount1

Forbidden (service account and server are mapped to delegate HTTP service on the same server):

HTTP/Server1 DOMAIN\ServiceAccount1
HTTP/Server1 DOMAIN\Server1

Allowed (only server account is allowed to delegate HTTP service on that particular server):

HTTP/Server1 DOMAIN\Server1

Tools that you can use to troubleshoot SPNs issues are:

CSVDE + Excel: You can use these two to find out if you have duplicate SPNs.

For example, run CSVDE -f results.csv -r "(objectClass=User)" -l "sAMAccountName,servicePrincipalName" from Command Prompt and then open results.csv using Excel and do your data filtering there to find out the duplicates.  After you found them, you can remove the offending SPN using SETSPN.

KERBTRAY: You can use this tool to remove cached Kerberos tickets on the fly.  Waiting for the ticket to expire by itself is a pain in the butt.