Enable Kerberos constrained delegation for the system user

Kerberos constrained delegation is intended to be used by services and not regular users. Active Directory distinguish service users from regular users whether the user has an SPN registered or not. Regular users have no SPN registered while service users could have one.

The Delegation tab in the user's properties within Active Directory Users and Computers is only available if an SPN is configured. In order to use Kerberos constrained delegation, any SPN must be configured for the system user.

Procedure-related prerequisites

  • The previously described configuration steps have been carried out.
  • You need to run the commands with administrative permissions. Open PowerShell via Run as administrator.

Example values

  • User logon name: srv-airlock-kerberos
  • SPN: http/airlock-gateway-production

Instruction

  1. Run the following commands:
  2. Choose a descriptive name for the SPN. There is no technical requirement for which SPN must be configured.

    copy
    setspn -A http/airlock-gateway-production srv-airlock-kerberos
  1. The SPN has been registered to the system user.