Kerberos delegation is configured in Active Directory Users and Computers by selecting the computer account that will be trusted for the delegation. Within that computer’s Delegation tab of the Properties sheet, selecting either Trust This Computer For Delegation To Any Service (Kerberos Only) or Trust This Computer For Delegation To Specified Services Only and then selecting the Use Kerberos Only radio button results in Kerberos delegation being configured for the computer in question. This is shown in Figure 4-18.

Configuring Kerberos delegation

FIGURE 4-18 Configuring Kerberos delegation for a computer account.

You should also verify that the service account (and any other account used in the delegation) is enabled for delegation. This is accomplished within the user’s Account tab of the Properties sheet (see Figure 4-19). Specifically, the Account Is Sensitive And Cannot Be Delegated box within the Account Options section can’t be selected.

Configuring Kerberos delegation

FIGURE 4-19 Ensuring that the Account Is Sensitive And Cannot Be Delegated box is cleared.