In my previous post, I talked about an IIS issue when using integrated authentication and a custom service account that does not have a service principal name. The problem took some time to diagnose and solve, and it was only later that the Authentication and Access Control Diagnostics tool came to my attention. I replicated the original issue and ran the tool with some very positive results.
Diagnosis with the Check Authentication task, clearly indicates that the custom identity of the application pool under which the virtual directory is running, does not have a service principle name and Kerberos authentication will fail -
Once Kerberos authentication is disabled, only NTLM is available. Rerunning the Check Authentication task results in the warning below -
I think this is a great tool, and one that will save my team a great deal of time in future.