Configuration of Constrained delegation requires a Service Principal Name (SPN) for the Symantec CCS ADLDS instance which is created during the installation of the Directory Server. Ensure that the Constrained delegation is configured after installation of the Directory Server.
You need to configure constrained delegation only if your deployment contains a stand-alone installation of the Directory Server.
To configure a service account for constrained delegation
Open the properties for the Application Server's service account and make the following changes on the Delegation tab:
Select Trust this user for delegation to specified services only. By default the user is set to Do not trust this user for delegation.
Select Use any authentication protocol.
Under Services to which this account can provide delegated credentials do the following:
Click Add and type in the name of the computer where DSS is installed. From the list of services, select the service, LDAP that has the same port number as the port where the ADAM instance is running and click OK.
Click Add and type the name of the service account for which the DSS service is running. You can view the custom SPN that was created for the DSS before installation. Select the service and click OK.
Click Expand to verify that both the short names and long names are present.
On the Application Server computer, open the Local Security Policy editor.
Navigate to Under Local Policies > User Rights Assignment and grant the privilege, Act as part of the operating system to the Application Server.
If you use the constrained delegation and choose not to store passwords with CCS, then you need to give the service user the Act as part of the operating system privilege. This privilege is required by S4U to impersonate an account. If you choose to store the password with CCS, then this privilege is not required.
After the product is installed, configure delegation for the Application Server in the following manner:
In the CCS Console, go to Settings > System Topology > Map View or go to Settings > System Topology > Grid View.
Select the Application Server component, and right-click on Edit Settings.
In the Edit Settings dialog box, select the Application Server > Basic option in the left pane.
For the Authentication type option, select Use controlled delegation of security rights in the right pane.
Reboot the DSS and the Application Server computer so that the delegation settings can take effect.