Configuring the S4U and constrained delegation

Before configuring the Service for User (S4U) and constrained delegation, ensure that you configure the service accounts with unconstrained delegation. The S4U configuration is a modification of the unconstrained delegation configuration and is therefore an optional task for you to perform.

See Configuring service accounts with unconstrained delegation .

To configure S4U with constrained delegation

Set up delegation on the Application Server account.

For AD users and computers, open the properties for the Application Server's service account and make the following changes on the Delegation tab:
- Select Trust this user for delegation to specified services only
- Select Use any authentication protocol
- Under Services to which this account can provide delegated credentials do the following:
  - Click Add and type in the name of the machine where DSS is installed.
    
    From the list of services, select the service, LDAP that has the same port number as the port where the ADAM instance is running and click OK.
  - Click Add and type the name of the service account for which the DSS service is running. You can view the custom SPN that was created for the DSS before installation.
    
    Select the service and click OK.
On the Application Server computer, open the Local Security Policy editor.

Navigate to Under Local Policies -> User Rights Assignment and grant the privilege, Act as part of the operating system to the Application Server.
Configure the Application Server in the following manner to use S4U authentication:
- In the CCS Console, go to Settings -> System Topology.
- Select the Application Server component, and open Edit Settings .
- Change the Authentication type to, 'Use controlled delegation of security rights.
Reboot the Application Server computer so that the delegation settings can take effect.