I am working with a system which implements constrained delegation for a double-hop from Firefox 38.2.1 (or IE 11) accessing an intranet .NET 4.5.1 web application running on Windows Server 2012 (IIS 8.5) to SQL Server 2008 R2 on a different server. The delegation scenario is functioning: the user's AD credentials are passed through to the database on a server separate from the web server. The DCs are Windows Server 2008 R2, and we use SPNs.
However, there are scenarios such as a missing Firefox configuration setting where Kerberos will fail; and the authentication protocol downgrades to NTLM. Delegation no longer works for a period of time until the Kerberos authentication protocol is automatically re-instated (some sources say 5 minutes; it is more like 10-12 minutes with our testing). Furthermore, the failed delegation affects all users who access the application after the protocol downgrade takes effect until Kerberos is re-instated automatically. In other words, their sessions use NTLM and are blocked from accessing the database for 10-12 minutes.
Is there a way via the DCs, or code (c#), or IIS/Firefox/IE to restore manually the authentication protocol to Kerberos, thus shortening the window in which NTLM is the protocol being used?
