Allow Kerberos constrained delegation in a single domain setup

Allow the system-user to do Kerberos constrained delegation for specific SPNs within a single domain setup.

Procedure-related prerequisites

  • ‚óŹ
    The previously described configuration steps have been carried out.


  • 1.
    Go to: Administrative Tools >> Active Directory Users and Computers.
  • 2.
    Open the properties of the system user.
  • 3.
    Change to the Delegation tab.
  • 4.
    Enable the checkbox Trust this user for delegation to specified services only.
  • 5.
    Enable the checkbox Use any authentication protocol.
  • 6.
    Click on Add....
  • 7.
    Click on Users or Computers.
  • 8.
    Click on Advanced.
  • 9.
    Search for the service user or machine account the application pool of the back-end application is running with.
  • Search for the service-user if Register SPN for the service user has been proceeded.

    Search for the machine account if Register SPN for the machine account has been proceeded.

  • 10.
    Select the service user or machine account.
  • 11.
    Click on OK twice.
  • 12.
    Select the SPN which was configured in Register SPN
  • 13.
    Click on OK.
  • The system user is granted to request Kerberos tickets for the configured SPN on behalf of other users.