Applications that perform KCD delegation may not finish the S4U process on a computer that is running Windows Server 2008 or Windows Server 2003

Support for Windows Server 2003 ended on July 14, 2015

Microsoft ended support for Windows Server 2003 on July 14, 2015. This change has affected your software updates and security options. Learn what this means for you and how to stay protected.

This article has been archived. It is offered "as is" and will no longer be updated.
Symptoms
Applications that perform Kerberos Constrained Delegation (KCD) may not finish the Service-for-User (S4U) process on a computer that is running Windows Server 2008 or Windows Server 2003. This issue occurs in the following scenario:
  • The service domain contains hosts that are permitted to use KCD.
  • The user account that is being delegated resides in a trusted forest.
  • The service domain and the account domain are not root domains in their respective forests.
  • The KERB_S4U_LOGON struct is populated as follows:
    MessageType = KerbS4ULogon
    ClientUpn = user name
    ClientRealm = NB domain name
Cause
This issue occurs because the Windows operating system does not have the additional mapping data that is required. By default, the additional mapping data is not populated in Active Directory Domain Services (AD DS). Therefore, the operating system is unable to search the whole forest and the whole trust structure to resolve the mappings between unqualified domains and fully qualified domains.
Resolution
To resolve this issue, follow these steps:
  1. Use the Active Directory Service Interfaces Edit tool to edit the ms-DS-SPNSuffixes attribute in the following configuration container in AD DS:
    (CN=Partitions, CN=Configuration, DC=DomainNamingContext)
    Edit the ms-DS-SPNSuffixes attribute to add NB domain names for all domains in the local domain tree.
  2. Repeat step 1 for each root domain in the trusted forest.
  3. Edit the Name Suffix Routing list in the trusting forest to enable all the following suffixes for all the trusted domains:
    • *.NBDomain suffixes
    • *.FQDN suffixes
  4. Repeat step 3 for each forest that trusts the forest that is modified in step 1.
  5. Repeat steps 1 through 4 as necessary for the remaining forests and trees.
Properties

Article ID: 949015 - Last Review: 01/16/2015 02:21:17 - Revision: 2.0

  • Windows Server 2008 Datacenter
  • Windows Server 2008 Enterprise
  • Windows Server 2008 Standard
  • Windows Web Server 2008
  • Windows Server 2008 for Itanium-Based Systems
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
  • Microsoft Windows Server 2003, Datacenter x64 Edition
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows Server 2003, Standard x64 Edition
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • kbnosurvey kbarchive kbexpertiseadvanced kbtshoot KB949015
Feedback