Enable Kerberos constrained delegation for the system user

Kerberos constrained delegation is intended to be used by services and not regular users. Active Directory distinguish service users from regular users whether the user has an SPN registered or not. Regular users have no SPN registered while service users could have one.

The Delegation tab in the user's properties within Active Directory Users and Computers is only available if an SPN is configured. In order to use Kerberos constrained delegation, any SPN must be configured for the system user.

Procedure-related prerequisites

The previously described configuration steps have been carried out.

You need to run the commands with administrative permissions. Open PowerShell via Run as administrator.

Example values

User logon name: srv-airlock-kerberos
SPN: http/airlock-gateway-production

Instruction

Run the following commands:
Notice
Choose a descriptive name for the SPN. There is no technical requirement for which SPN must be configured.

Terminal box

setspn -A http/airlock-gateway-production srv-airlock-kerberos

The SPN has been registered to the system user.

Further information and links

KB - The delegation tab is not available