To create an SPN for a domain user account, use the setspn command as follows:
setspn -s http/ces.msca.com msca\CESSvc
Notes:
- The account name is CESSvc.
- CES is running on a computer with a fully qualified domain name (FQDN) of ces.msca.com in the msca.com domain.
Open the CESSvc domain user account in the domain controller.
From the Delegation tab, select Trust this user for delegation to specified services only.
Select the appropriate delegation based on the authentication method.
Notes:
- If you select Windows-integrated authentication, then configure delegation to use Kerberos only.
- If the service is using client certificate authentication, then configure delegation to use any authentication protocol.
- If you plan to configure multiple authentication methods, then configure delegation to use any authentication protocol.
Click Add.
In the Add Services dialog, select Users or Computers.
Type your CA server host name, and then click Check Names.
From the Add Services dialog, select either of the following services to delegate:
- Host service (HOST) for that CA server
- Remote Procedure Call System Service (RPCSS) for that CA server
Close the domain user properties dialog.