Allow Kerberos constrained delegation in a single domain setup

Allow the system-user to do Kerberos constrained delegation for specific SPNs within a single domain setup.

Procedure-related prerequisites

  • The previously described configuration steps have been carried out.

Instruction

  1. Go to: Administrative Tools >> Active Directory Users and Computers.
  2. Open the properties of the system user.
  3. Change to the Delegation tab.
  4. Enable the checkbox Trust this user for delegation to specified services only.
  5. Enable the checkbox Use any authentication protocol.
  6. Click on Add....
  7. Click on Users or Computers.
  8. Click on Advanced.
  9. Search for the service user or machine account the application pool of the back-end application is running with.

    10. Search for the service-user if Register SPN for the service user has been proceeded.

    Search for the machine account if Register SPN for the machine account has been proceeded.

  10. Select the service user or machine account.
  11. Click on OK twice.
  12. Select the SPN which was configured in Register SPN
  13. Click on OK.
  14. The system user is granted to request Kerberos tickets for the configured SPN on behalf of other users.