There are quite a lot of good step-by-step manuals available describing how to enable Kerberos authentication for Exchange Server 2013/2016.
The following issue has been seen in an Exchange 2013 infrastructure (8 server DAG) where Outlook clients use OutlookAnyhwere to connect to Exchange Server. MAPI over Http is disabled on an organizational level due to a compatibility issue with another client software.
Even if you follow the detailed descriptions you might end up in a situation where your Outlook clients still won't connect to Exchange Server using Kerberos. The Outlook connection status overview (Ctrl + Right Click on the Outlook icon in System Tray) still shows Ntlm as the used authentication provider:
You are supposed to use the following PowerShell cmdlets to configure OutlookAnywhere to use Kerberos:
Get-OutlookAnywhere -Server CASSERVER | Set-OutlookAnywhere -InternalClientAuthenticationMethod Negotiate
All eight Exchange 2013 servers where still not offering Nego as an authentication provider even after some period of time. Verifying the OutlookAnywhere configurations using PowerShell showed the correct configuration values. So what to do?
A quick check at the IIS authentication settings of the \Rpc virtual directory of the Front End web site (Default Web Site) showed that this virtual directory was still configured to use Ntlm only.
Use the IIS management consolte to add the Negotiate authentication provider to the list of available providers and reorder the list to use Nego first.
Now Outlook clients will pick up the configuration change an will connect to OutlookAnywhere using Kerberos.
You should not use the IIS management console to change any settings of the Exchange Server virtual directories during normal operations. Using the IIS management console should only be used for troubleshooting fancy situations that you encounter in your Exchange Server infrastructure.
The preferred method to change Exchange Server vDir settings is PowerShell.
Enjoy Exchange Server