You need to configure the service accounts for the Directory Support Service (DSS) and the Application Server to operate with unconstrained delegation in distributed setup.
To configure the service accounts with unconstrained delegation
Identify the user accounts to be used as the service accounts for DSS and Application Server.
Create the Service Principal Name (SPN) for the Application Server and the DSS services.
The SPN for both the short NetBIOS name and the fully-qualified host name (FQDN) is created. While delegation can work without SPN in Windows Server 2000 domains, it can also fail depending on the operating system that is in use.
You must associate an SPN to a single user account.
The service-name portion of the SPN must match the following:
Enable delegation for the Application Server's service account.
The following service accounts are to be enabled:
When installing the Application Server, specify the FQDN when prompted by the setup for the computer that installed the DSS. This is not mandatory, but sometimes specifying a short NetBIOS name can cause problems.