After a change from 2-tier to 3-tier and a move of the database from SQL2008 single server to SQL2014 Always-On Cluster the access to the web service does not work anymore.
The SPNs seem to be set correctly. MS SQL Configuration Manager did not find any errors or missing SPN. Nevertheless, there is a problem with Kerberos authentication.
Calling the web service from NST works perfectly. But when I call the web service from a client, I get an authentication error.
Using netmon, I found that the client first gets a valid ticket from KDC1 (domain controller 1). Afterwards the NST asks KDC2 (domain controller 2) and gets a Kerberos response with badoption 0xc.
In my opinion this indicates a missing SPN or a wrong configuration. Whether the SQL AlwaysOn Cluster influences the behavior I could not find out yet.
Does anyone have any ideas?