How to: Configure an Application to Use Constrained Delegation

Before you can impersonate the credentials associated with a KerberosToken security token to access a set of constrained resources on a remote computer (constrained delegation), the sender, receiver, and the domain controller must be configured to do so. The following procedure lists the steps that enable constrained delegation.

Procedure Title

1. On the domain controller, clear the Account is sensitive and cannot be delegated check box for the account under which the client application is running.

2. On the domain controller, select the Account is trusted for delegation check box for the account under which the client application is running.

3. On the domain controller, configure the middle tier computer so that it is trusted for delegation, by clicking the Trust computer for delegation option.

4. On the domain controller, configure the middle tier computer to use constrained delegation, by clicking the Trust this computer for delegation to specified services only option.

For more detailed instructions about configuring constrained delegation, see the following topics on MSDN:

• Troubleshooting Kerberos Delegation
• Kerberos Protocol Transition and Constrained Delegation

See Also

Tasks

How to: Impersonate the Credentials Associated with a KerberosToken

Other Resources

Kerberos Ticket
Brokered Authentication – Kerberos
Kerberos Technical Supplement for Windows
Protocol transition & constrained delegation