Kerberos Constrained Delegation with Windows 2008 R2 server
I am facing with difficulties on the windows 2008 system when trying to enable KCD.
I had the working scenario with Windows 2003 but not with 2008.
The setup is a SA2000 ( will be replaced to 2500 soon ) with 6.5 R2
The system that we use for RADIUS authentication is a Windows 2008 server but this just makes RADIUS authnetication which works fine.
The AD is a Windows 2008 R2 server where I created the user spn ( setspn -A HTTP/delegate domain.abc.com\delegate)
Here in the AD I have checked the needed configuration like enable delegation to all protocol, specified services and from the list I have picked the IIS7 server ( as it is on a different server as the AD like. mail.domain.abc.com and that is a Windows 2008 R2 as well and enabled the http service.
On the IIS configuration I have only Integrated Windows authnetication is enabled for the OWA site as we want to make the delegation to OWA only.
On the SA I have created the Kerberos SSO with capital domain like DOMAIN.ABC.COM and used the Kerberos realm name matching the user realm I use for authnetication. In the service list I have added the IIS and below it the AD as well.
I have removed the default policy which enables all traffic t oall resource, left only the Kerberos policy.
When I try to use the policy, the SA simply does not want to make Constrained Delegation it is doing simple SSO.
I have tried to make differnet realm names, not capital letters,removing the service list leaving only the IIS server, using simply just domain ( without abc.com) replaced the service account nothing helped.
Could anyone help me in this situation what can be the issue ?
I have used a test system where this was eorking upto that part it gives me the error : KDC cannot fulfill this option.