Enabling delegation

  1. To create an SPN for a domain user account, use the setspn command as follows:

    setspn -s http/ces.msca.com msca\CESSvc

    Notes:
    • The account name is CESSvc.
    • CES is running on a computer with a fully qualified domain name (FQDN) of ces.msca.com in the msca.com domain.
  2. Open the CESSvc domain user account in the domain controller.
  3. From the Delegation tab, select Trust this user for delegation to specified services only.
  4. Select the appropriate delegation based on the authentication method.
    Notes:
    • If you select Windows-integrated authentication, then configure delegation to use Kerberos only.
    • If the service is using client certificate authentication, then configure delegation to use any authentication protocol.
    • If you plan to configure multiple authentication methods, then configure delegation to use any authentication protocol.
  5. Click Add.
  6. In the Add Services dialog, select Users or Computers.
  7. Type your CA server host name, and then click Check Names.
  8. From the Add Services dialog, select either of the following services to delegate:

    • Host service (HOST) for that CA server

    • Remote Procedure Call System Service (RPCSS) for that CA server

  9. Close the domain user properties dialog.

For CEP domain users using Windows-integrated authentication, do the following:

  1. To create an SPN for a domain user account, use the setspn command as follows:

    setspn -s http/cep.msca.com msca\CEPSvc

    Note: The account name is CEPSvc.
  2. Open the CEPSvc domain user account in the domain controller.
  3. From the Delegation tab, select Do not trust this user for delegation.