Showing results for 
Search instead for 
Did you mean: 

Kerberos Constrained Delegation with Windows 2008 R2 server

New Contributor

Kerberos Constrained Delegation with Windows 2008 R2 server


I am facing with difficulties on the windows 2008 system when trying to enable KCD.

I had the working scenario with Windows 2003 but not with 2008.

The setup is a SA2000 ( will be replaced to 2500 soon ) with 6.5 R2

The system that we use for RADIUS authentication is a Windows 2008 server but this just makes RADIUS authnetication which works fine.

The AD is a Windows 2008 R2 server where I created the user spn ( setspn -A HTTP/delegate\delegate)

Here in the AD I have checked the needed configuration like enable delegation to all protocol, specified services and from the list I have picked the IIS7 server ( as it is on a different server as the AD like. and that is a Windows 2008 R2 as well and enabled the http service.

On the IIS configuration I have only Integrated Windows authnetication is enabled for the OWA site as we want to make the delegation to OWA only.

On the SA I have created the Kerberos SSO with capital domain like DOMAIN.ABC.COM and used the Kerberos realm name matching the user realm I use for authnetication. In the service list I have added the IIS and below it the AD as well.

I have removed the default policy which enables all traffic t oall resource, left only the Kerberos policy.

When I try to use the policy, the SA simply does not want to make Constrained Delegation it is doing simple SSO.

I have tried to make differnet realm names, not capital letters,removing the service list leaving only the IIS server, using simply just domain ( without replaced the service account nothing helped.

Could anyone help me in this situation what can be the issue ?

I have used a test system where this was eorking upto that part it gives me the error : KDC cannot fulfill this option.

Thanks in advance for every help !