![](https://publications.lexmark.com/media/ids_assets/images/transparent.png)
To create an SPN for a domain user account, use the setspn command as follows:
setspn -s http/ces.msca.com msca\CESSvc
Notes:
- The account name is CESSvc.
- CES is running on a computer with a fully qualified domain name (FQDN) of ces.msca.com in the msca.com domain.
![](https://publications.lexmark.com/media/ids_assets/images/transparent.png)
Open the CESSvc domain user account in the domain controller.
![](https://publications.lexmark.com/media/ids_assets/images/transparent.png)
From the Delegation tab, select Trust this user for delegation to specified services only.
![](https://publications.lexmark.com/media/ids_assets/images/transparent.png)
Select the appropriate delegation based on the authentication method.
Notes:
- If you select Windows-integrated authentication, then configure delegation to use Kerberos only.
- If the service is using client certificate authentication, then configure delegation to use any authentication protocol.
- If you plan to configure multiple authentication methods, then configure delegation to use any authentication protocol.
![](https://publications.lexmark.com/media/ids_assets/images/transparent.png)
Click Add.
![](https://publications.lexmark.com/media/ids_assets/images/transparent.png)
In the Add Services dialog, select Users or Computers.
![](https://publications.lexmark.com/media/ids_assets/images/transparent.png)
Type your CA server host name, and then click Check Names.
![](https://publications.lexmark.com/media/ids_assets/images/transparent.png)
From the Add Services dialog, select either of the following services to delegate:
- Host service (HOST) for that CA server
- Remote Procedure Call System Service (RPCSS) for that CA server
![](https://publications.lexmark.com/media/ids_assets/images/transparent.png)
Close the domain user properties dialog.