The article provides step-by-step instructions to implement Service for User to Proxy (S4U2Proxy) or Kerberos Only Constrained Delegation on a custom service account for Web Enrollment proxy pages.
Note The workflow that's included in this article is specific to a particular scenario. The same workflow may not work for a different situation. However, the principles remain the same.
Configuring the Delegation in Active Directory
- See the following image for guidance to configure the HTTP SPNs on the service account for the front-end web server.
Note You can also run the setspn -s SPN Accountname command. For example, run the following command:
setspn -s HTTP/webenroll2016.contoso.com web_svc
- Configure S4U2Proxy (Kerberos Only) Constrained Delegation on the service account.
- On the Machine Account, set S4U2Self (Protocol Transition) Constrained Delegation.
Configuring web enrollment for HTTPS
To enable web enrollment pages to work, create a domain certificate for the website, and then bind it to the default first site. To do this, follow these steps:
- Click <HOSTNAME>, and select Server Certificates.
- In the actions pane on the right, select Create a Domain Certificate.
- After the certificate is created, select Default Web Site on the left side, and then select Bindings on the right side.
- Add the certificate that you enrolled earlier, and bind it to port 443.
Configuring the service account on the front end (web server)
Make sure that the service account is part of either the local administrators or IIS_Users group on the web server.
After you install the web enrollment role on the server, start IIS Manager, and then configure the service account for the default App Pool.
- Right-click DefaultAppPool, and then click Advanced Settings.
- In the Process Model > Identity section of the setting, add the service account.
- Set the Load User Profile setting to True.
- Restart the computer.
For more information, see the following articles:
Constrained delegation for CIFS fails with ACCESS_DENIED error
Authenticating Web Application Users
For more information about Depth S4U protocol, see the following articles:
[MS-SFU]: Kerberos Protocol Extensions: Service for User and Constrained Delegation Protocol
4.1 S4U2self Single Realm Example
4.3 S4U2Proxy Example