Consider the following scenario:
- You have deployed Windows Server 2008 or later Read-Only Domain Controllers (RODCs).
- You have Windows Server 2003 Domain Controllers in the same domain as your RODCs.
- You have configured Kerberos delegation from a middle-tier server to a back-end server.
In this scenario Kerberos delegation may fail with error KRB_AP_ERR_BAD_INTEGRITY.
Windows Server 2008 or later DCs support detecting which krbtgt account was used and will decrypt the ticket using the appropriate keys.
- Upgrade your Windows Server 2003 DCs to Windows Server 2008 or later
- Configure the environment so that the servers who will be performing delegation will prefer Windows Server 2008 or later DCs when locating a KDC. This can be done through Active Directory site topology and costs, see Overview of Active Directory Sites and Services(http://technet.microsoft.com/en-us/library/cc731907(WS.10).aspx)