Setting up Kerberos for SharePoint 2007 using Windows Server 2008 R2 and IIS 7.5

You can find a complete guide at http://technet.microsoft.com/en-us/library/cc263449.aspx to setup Kerberos authentication for SharePoint 2007 if you are using Windows Server 2003 and IIS 6.0. For those who are using Windows Server 2008/R2 and IIS 7/7.5, you may find that the windows integrated authentication is set to enable Kernal-mode by default which may prevent Kerberos to work properly as expected if you follow the steps in the technet article.

To keep it simple and easy to follow/understand, I've list down the steps taken to make Kerberos work:

1. Set SPN for all service accounts.
2. Delegate trusts to the service accounts and machine accounts.
3. For the WFEs, open up Local Security Policy then add the SharePoint site's application pool service account to "Act as part of the operating system" and "impersonate a client after authentication".
4. Ensure all servers are able to ping each other and that the IP addresses and Hostnames are mapped correctly.
5. Open up Central Administration site -> Applications -> Authentication Providers, make sure the correct web application is selected then change the authentication type to "Negotiate".
6. For the WFEs, open up IIS and navigate to the SharePoint web applications -> Authentication -> Windows Integrated, then click on the Advanced settings. Uncheck to disable "Kernal-mode".
7. For the WFEs, perform IISRESET /noforce

Note: If you wish to use "Kernal-mode" for windows integrated authentication, then you will need to follow the instructions at http://harbar.net/archive/2008/05/18/Using-Kerberos-with-SharePoint-on-Windows-Server-2008.aspx .