Configuring Constrained Delegation for Kerberos

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1

Constrained delegation, which is new in Windows Server 2003, is intended to be used by service accounts, which should have registered Service Principal Names (SPNs), instead of by a regular user account, which typically does not have an SPN.

The Setspn.exe command-line utility allows you to read, modify, and delete SPNs for an Active Directory property. Setspn.exe is available in the Support Tools pack located on your Windows Server 2003 CD-ROM.

Important

You must be a member of the Administrators group on the local computer to run scripts and executables. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run your script or executable as an administrator. At a command prompt, type runas /profile /User:MyComputer\Administrator cmd to open a command window with administrator rights and then type cscript.exe ScriptName (include the script's full path and any parameters).

Important

You must be a domain administrator to set an SPN.

To configure constrained delegation

  1. Install the Support Tools pack on your Windows Server 2003 CD-ROM.

  2. Click Start, point to Programs or All Programs, point to Windows Support Tools, and then click Command Prompt.

  3. At the command prompt, type the following command:

    setspn -a http/SiteName.DomainName.com Domain \User

    where SiteName.DomainName.com is the Web site whose application pool runs with the custom identity you created.

    For example, the following command assigns "http/contosohr.contoso.com" to the custom identity CONTOSO\cd1hr. The http/ prefix is a service class that identifies this as an SPN for a Web site.

    setspn -a http/contosohr.contoso.com CONTOSO\cd1hr

    Here is another way to specify the same SPN, using just the SiteName:

    setspn -a http/contosohr CONTOSO\cd1hr

If you register duplicate SPNs accidentally, you can use Setspn.exe to delete the duplicate SPN. For more information about Setspn.exe syntax, see Setspn Syntax.

Note

If you are configuring servers running IIS 6.0 in a Windows 2000 Server domain, you can use either the version of Setspn.exe that comes with Windows Server 2003 or the version that comes with Windows 2000 Server.

  • For more information about configuring application pool identity, see Configuring Application Pool Identity with IIS 6.0.

  • For more information about Kerberos and service registration, see Integrated Windows Authentication.

  • For more information about NTLM authentication, see "Authentication" in Help and Support Center for Windows Server 2003.

  • For more information about Kerberos, see "Kerberos" in Help and Support Center for Windows Server 2003.

  • For more information about constrained delegation, see "Delegating authentication" in Help and Support Center for Windows Server 2003.