I had to configure Kerberos, SPNs, Delegations and what not for a SharePoint BI Installation without being able to connect to the AD or being able to give more complex instructions. In short: I had to give a script to the AD admins. Mind you: This is still a work in progress, so changes might come (or not).
I wrote a function to set SPNs, delegation and allow unconstrained Kerberos delegation
I put my code in this extra file to keep it safe in a way. An admin won't need to take a look at the file to change it, because all changes are made in this file:
You only need to change the values after "set-kerbuser", remove or add new users and servers. Here are some examples to help you fill out the code:
Example for Domain: "SP"
Example for HTTP/DNS-Value: "HTTP/sprocks.io"
Example for SP/ACCOUNT: "SP/spfarm"
Example for SERVERNAMEFQDN: servername.domain.com
Clarification: Account names for Instances in this case are named after the Instance, but they don't have to be
-spnValues:
You have to add the trust delegation to the accounts, f.ex. Excel is supposed to trust the relational instance, so the code would look like this:
set-kerbuser -Identity "DOMAIN\EXCEL" -spnValues "SP/EXCEL", "MSSQLSvc/SERVERNAMEFQDN:PORT", "MSSQLSvc/SERVERNAME:PORT"
All you need is the identity / account name and the servers you want to delegate trust with. In this case tried to keep it as simple as possible, that's why I'm using an unconstrained delegation.
You can find both scripts in my GitHub -> https://github.com/pkothree/KerberosForSharePointBI.git