Allow the system-user to do Kerberos constrained delegation for specific SPNs within a single domain setup.
Procedure-related prerequisites
- The previously described configuration steps have been carried out.
Instruction
- Go to: Administrative Tools >> Active Directory Users and Computers.
- Open the properties of the system user.
- Change to the Delegation tab.
- Enable the checkbox Trust this user for delegation to specified services only.
- Enable the checkbox Use any authentication protocol.
- Click on Add....
- Click on Users or Computers.
- Click on Advanced.
- Search for the service user or machine account the application pool of the back-end application is running with.
- Select the service user or machine account.
- Click on OK twice.
- Select the SPN which was configured in Register SPN
- Click on OK.
- The system user is granted to request Kerberos tickets for the configured SPN on behalf of other users.
Search for the service-user if Register SPN for the service user has been proceeded.
Search for the machine account if Register SPN for the machine account has been proceeded.