We use Kerberos authentication for our websites and it works perfectly most of the times. Means we have enabled only Windows authentication and use Negotiate, NTLM (in the same order) for providers
But sometimes we have seen issues with in our applications and we suspect it happens when the Kerberos authentication fails. (mainly for the first calls after an iisreset). This happens only when we have more than one node behind the load balancer.
Is there anyway in IIS logs I can see if there was an actual Kerberos authentication failure? I can see too many entries with sc-status as 401 within IIS logs.
Later what I read was 401 responses are a part of Kerberos authentication. Where the first response for a request will be a 401, then one subsequent call will be made with the same url and with the authentication headers for which we should get different response for sc_status (200 or some status code). Even in this case how we can differentiate between the first call and the second call in IIS logs?
