Kerberos authentication not working after IIS/SharePoint rebuild.

When you test, does the APM log show a log that says "S4U ===> OK!"?

If it does, then that indeed indicates that APM is getting a Kerberos ticket and sending it to the web server. Otherwise you'd also see an Authorization header in the HTTP request sent to SharePoint from APM.

So when a ticket is sent but is rejected with a 401 response, that generally indicates that you simply requested a ticket for the wrong service. In your case APM was likely configured to derive the SPN of the SharePoint service in one of two ways: reverse DNS lookup or static SPN Pattern. So let's say you're using the first method:

• APM takes the selected pool member (1.2.3.4) and does a reverse DNS lookup into the domain to get the hostname (sp1.domain.com)
• APM takes that result and derives a SPN (http/sp1.domain.com) and then issues a Kerberos ticket request to the KDC for this SPN
• APM receives the ticket for this SPN, encodes it and passes it in the Authorization header of the HTTP request to the server

If by some chance the SharePoint server (service) is no longer defined by the SPN, then the server will naturally reject the ticket and send back a 401. So then the first thing you should do is validate what service account the SharePoint server is running under, and what SPN(s) is/are defined for that account.