If you’re in the middle of implementing Kerberos for something, remember that Kerberos authentication fails whenever you use CNAME records in DNS, instead of A-Records.

Why is this?

This is because whenever for example IE asks AD: “which account has a SPN registration for kerberos.marcvalk.net”, and kerberos.marcvalk.net is an CNAME for IIS_Server.marcvalk.net, the reply will be IIS_Server.marcvalk.net and not the service account.

So you’ll probably see an pop-up authentication box, with a title of IIS_Server.marcvalk.net and not the correct hostheader kerberos.marcvalk.net.