Before configuring the Service for User (S4U) and constrained delegation, ensure that you configure the service accounts with unconstrained delegation. The S4U configuration is a modification of the unconstrained delegation configuration and is therefore an optional task for you to perform.
See Configuring service accounts with unconstrained delegation .
To configure S4U with constrained delegation
Set up delegation on the Application Server account.
For AD users and computers, open the properties for the Application Server's service account and make the following changes on the Delegation tab:
Select Trust this user for delegation to specified services only
Under Services to which this account can provide delegated credentials do the following:
Click Add and type in the name of the machine where DSS is installed.
From the list of services, select the service, LDAP that has the same port number as the port where the ADAM instance is running and click OK.
Click Add and type the name of the service account for which the DSS service is running. You can view the custom SPN that was created for the DSS before installation.
On the Application Server computer, open the Local Security Policy editor.
Navigate to Under Local Policies -> User Rights Assignment and grant the privilege, Act as part of the operating system to the Application Server.
Configure the Application Server in the following manner to use S4U authentication:
Reboot the Application Server computer so that the delegation settings can take effect.