Configuring Constrained Delegation for Kerberos
Updated: August 22, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1
Constrained delegation, which is new in Windows Server 2003, is intended to be used by service accounts, which should have registered Service Principal Names (SPNs), instead of by a regular user account, which typically does not have an SPN.
The Setspn.exe command-line utility allows you to read, modify, and delete SPNs for an Active Directory property. Setspn.exe is available in the Support Tools pack located on your Windows Server 2003 CD-ROM.
|You must be a member of the Administrators group on the local computer to run scripts and executables. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run your script or executable as an administrator. At a command prompt, type runas /profile /User:MyComputer\Administrator cmd to open a command window with administrator rights and then type cscript.exe ScriptName (include the script's full path and any parameters).|
|You must be a domain administrator to set an SPN.|
Install the Support Tools pack on your Windows Server 2003 CD-ROM.
Click Start, point to Programs or All Programs, point to Windows Support Tools, and then click Command Prompt.
At the command prompt, type the following command:
setspn -a http/SiteName.DomainName.com Domain \User
where SiteName.DomainName.com is the Web site whose application pool runs with the custom identity you created.
For example, the following command assigns "http/contosohr.contoso.com" to the custom identity CONTOSO\cd1hr. The http/ prefix is a service class that identifies this as an SPN for a Web site.
setspn -a http/contosohr.contoso.com CONTOSO\cd1hr
Here is another way to specify the same SPN, using just the SiteName:
setspn -a http/contosohr CONTOSO\cd1hr
If you register duplicate SPNs accidentally, you can use Setspn.exe to delete the duplicate SPN. For more information about Setspn.exe syntax, see Setspn Syntax.
|If you are configuring servers running IIS 6.0 in a Windows 2000 Server domain, you can use either the version of Setspn.exe that comes with Windows Server 2003 or the version that comes with Windows 2000 Server.|
For more information about configuring application pool identity, see Configuring Application Pool Identity with IIS 6.0.
For more information about Kerberos and service registration, see Integrated Windows Authentication.
For more information about NTLM authentication, see "Authentication" in Help and Support Center for Windows Server 2003.
For more information about Kerberos, see "Kerberos" in Help and Support Center for Windows Server 2003.
For more information about constrained delegation, see "Delegating authentication" in Help and Support Center for Windows Server 2003.