How to configure a service account for Kerberos delegation
Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. Kerberos delegation is to enable an application to access resources hosted on a different server t. For some related content on Active Directory, see the following guides. The sign-in method you are trying to use is not allowed, Active Directory Authentication methods: Kerberos and NTLM, Concept of AD Computer Account, how to create a contact in AD, and for a detailed list of articles on Active Directory, visit the following link, Enable Active Directory Recycle Bin: How to delete and restore objects using Active Directory Administrative Center, How to fix insufficient access right to perform this operation when trying to enable Active Directory Recycle Bin.
You may have so many reasons to configure delegation for Kerberos authentication. For me, I had wanted to test MBAM 2.0 but later decided to install MBAm 2.5 with SP1 and therefore had no need to configure Kerberos delegation. Regardless, I decided to describe the steps here for your need 🙂 The following are the types of delegation. (1) Unconstrained delegation (2) Constrained delegation and (3) RBCD (Resource Based Constrained Delegation. Kindly take a look at this guide “” for more information.
Configure a service account for Kerberos delegation
Furthermore, If you wish to configure constrained delegation when you are using MBAM 2.5 only, please see this link.
– Navigate to Active Directory Users and Computers, click on the right container housing the account (service account), and
– Moreover, Find the app pool credentials (in my case a service account named MBAM-IISAP-SVC),
– Right-click, and go to properties.
– In addition, Click the delegation, and click on the option to trust the user for delegation to any (Kerberos only) and click on OK. Note: If you do want to trust this user to any services, Please select "Trust this user for delegation to the specified services only" and
- Add the service.
That is all that you need to do to configure Kerberos delegation for a user account (service account).You may also want to visit the following interesting articles. What are the merits and demerits of Local System Account and Service Logon Account, how to delete and restore objects using Active Directory Administrative Center, and what are the differences between an Active Directory contact and a user account object?
Alternatively, you could use Active Directory Administrative Center. Here you will have to
- Launch the Active Directory Administrative Center as shown below
Locate the container (OU) that the service account or user account is located in and right click on the user.
– Alternatively, you could click on Properties to display the user account properties”.
– Click the delegation, and click on the option to trust the user for delegation to any (Kerberos only) and click on OK.Note: If you do want to trust this user to any services, Please select "Trust this user for delegation to the specified services only" and
- Add the service.
I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.
how to set constrained delegation for MBAM?