Member-only story
Kerberos Constrained Delegation with Protocol Transition and Claims to Windows Token Service
Configuring Kerberos Constrained Delegation with Protocol Transition and the Claims to Windows Token Service
In order to configure identity delegation for a Web Application in Claims mode within Web application like SharePoint we must configure Kerberos Constrained Delegation with Protocol Transition. Because in Claims mode there is no identity with which to perform either impersonation, basic delegation or true Constrained Delegation using Kerberos.
Using Windows Identity Framework component, Claims to Windows Token Service (C2WTS) to mock real delegation using a Windows Logon Token. C2WTS itself makes use of Service For User (S4U). S4U does NOT perform real delegation, it cannot because there are no user credentials to delegate. It instead grabs a bunch of SIDs for the user (in this case a service identity). What all this means is that there is a hard requirement to use Protocol Transition. Protocol Transition is named in the UI of ADUC as “Use any authentication protocol”.
In order to set things up, settings in Active Directory for the C2WTS service identity and the application pool identity of the service application endpoint must be configured to perform Kerberos Constrained Delegation using Protocol Transition to the back end…
