Kerberos is used when you have Windows authentication with impersonification and the impersonated user needs to access resources outside the web server.
For example, you can use it when from your SharePoint server you need to access an Exchange web-service to get the user mail and calendar.
To enable Kerberos authentication, you need to complete the following tasks:
- From the Central Administration, change the web-application settings to use Kerberos (negotiate) authentication insted of NTLM authentication
- To add the SPNs for the web-server, from a command line prompt, execute:
- setspn -a HTTP/ServerName Domain\ServerName
- setspn -a HTTP/ServerName.Domain Domain\ServerName
- To add the SPNs for the application pool user, from a command line prompt, execute:
- setspn -a HTTP/ServerName Domain\User
- setspn -a HTTP/ServerName.Domain Domain\User
- Finally, from the Active Directory Users and Computer, check the application pool user as trusted for delegation.
More details in the article How to configure a Windows SharePoint Services virtual server to use Kerberos authentication and how to switch from Kerberos authentication back to NTLM authentication.