This article has been archived. It is offered "as is" and will no longer be updated.
Applications that perform Kerberos Constrained Delegation (KCD) may not finish the Service-for-User (S4U) process on a computer that is running Windows Server 2008 or Windows Server 2003. This issue occurs in the following scenario:
The service domain contains hosts that are permitted to use KCD.
The user account that is being delegated resides in a trusted forest.
The service domain and the account domain are not root domains in their respective forests.
The KERB_S4U_LOGON struct is populated as follows:
MessageType = KerbS4ULogon ClientUpn = user name ClientRealm = NB domain name
This issue occurs because the Windows operating system does not have the additional mapping data that is required. By default, the additional mapping data is not populated in Active Directory Domain Services (AD DS). Therefore, the operating system is unable to search the whole forest and the whole trust structure to resolve the mappings between unqualified domains and fully qualified domains.
To resolve this issue, follow these steps:
Use the Active Directory Service Interfaces Edit tool to edit the ms-DS-SPNSuffixes attribute in the following configuration container in AD DS:
Windows Server 2008 Datacenter, Windows Server 2008 Enterprise, Windows Server 2008 Standard, Windows Web Server 2008, Windows Server 2008 for Itanium-Based Systems, Microsoft Windows Server 2003, Datacenter Edition (32-bit x86), Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems, Microsoft Windows Server 2003, Datacenter x64 Edition, Microsoft Windows Server 2003, Enterprise x64 Edition, Microsoft Windows Server 2003, Enterprise Edition (32-bit x86), Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems, Microsoft Windows Server 2003, Standard x64 Edition, Microsoft Windows Server 2003, Standard Edition (32-bit x86)