Skip Navigation

Add Kerberos constrained delegation in
Microsoft Active Directory
for
Microsoft SharePoint

There is a limit of 1300 services that can be delegated to one account.
If you want to configure Kerberos constrained delegation (KCD) for File Share repositories only, do not complete this task.
  1. Open
    Microsoft Active Directory Users and Computers
    .
  2. In your domain, click
    Users
    .
  3. Right-click the
    BEMS
    service account. For example, BEMSAdmin. Click
    Properties
    .
  4. In the
    Microsoft Active Directory
    account properties, on the
    Delegation
    tab, select the following options:
    • Trust this user for delegation to specified services only
    • Use any authentication protocol
  5. Click
    Add
    .
  6. Click
    Users or Computers
    .
  7. In the
    Enter the object names to select
    field, type one of the following:
    • If the
      SharePoint
      web application is running under a domain user account, type the
      SharePoint
      Application Pool identity username.
    • If
      SharePoint
      web application is running under the Network Service account, type the
      Microsoft SharePoint
      server name.
  8. Click
    OK
    .
  9. In the
    Add Services
    dialog box, select the HTTP service that corresponds to the
    SharePoint
    web applications running under the account specified in step 7.
  10. Click
    OK
    .
  11. Repeat Steps 4–9 for each application pool identity user and each Web Application identified.