How to configure Kerberos Constrained Delegation (S4U2Proxy or Kerberos Only) on a custom service account for Web Enrollment proxy pages

Applies to: Windows Server 2019, all versionsWindows Server 2008 for WindowsWindows Server 2012 R2


The article provides step-by-step instructions to implement Service for User to Proxy (S4U2Proxy) or Kerberos Only Constrained Delegation on a custom service account for Web Enrollment proxy pages.

Note The workflow that's included in this article is specific to a particular scenario. The same workflow may not work for a different situation. However, the principles remain the same.


Configuring the Delegation in Active Directory

  1. See the following image for guidance to configure the HTTP SPNs on the service account for the front-end web server.


    Note You can also run the setspn -s SPN Accountname command. For example, run the following command:

    setspn -s HTTP/ web_svc
  2. Configure S4U2Proxy (Kerberos Only) Constrained Delegation on the service account.

    web_svc settings

  3. On the Machine Account, set S4U2Self (Protocol Transition) Constrained Delegation.‎

    set up delegation

Configuring web enrollment for HTTPS

To enable web enrollment pages to work, create a domain certificate for the website, and then bind it to the default first site. To do this, follow these steps:

  1. Click <HOSTNAME>, and select Server Certificates.

    Add certificate

  2. In the actions pane on the right, select Create a Domain Certificate.
  3. After the certificate is created, select Default Web Site on the left side, and then select Bindings on the right side.
  4. Add the certificate that you enrolled earlier, and bind it to port 443.

    Add certificate

Configuring the service account on the front end (web server)

Make sure that the service account is part of either the local administrators or IIS_Users group on the web server.


‎After you install the web enrollment role on the server, start IIS Manager, and then configure the service account for the default App Pool.

  1. Right-click DefaultAppPool, and then click Advanced Settings.

    Application pool

  2. In the Process Model > Identity section of the setting, add the service account.

    Application Pool Identity

  3. Set the Load User Profile setting to True.

    Advanced Settings

  4. Restart the computer.