Today when we were configuring Kerberos we become a bit confused when we were going to enable the service accounts for delegation. In our experience there is a Delegation tab in the Properties dialog for the User object in Active Directory Users and Computers (ADCU). But this time when we looked at the Properties dialog it was missing! We looked at the computer account and there we had the Delagation tab. We were a bit a confused and became unsure if Delegation were supposed to be configured on the service accounts.

Some research revealed that when Active Directory is running in Windows 2000 functional level there is no Delegation tab, it only appears when running AD in Windows 2003 (or higher) functional level. We were using Windows 2008 functional level so that was not the problem.

However, further research also revealed that the Delegation tab is only displayed when there is at least one value set in the servicePrincipalName attribute. At that was the solution to our problem!

Side note 1: Setting a ServicePrincipalName (SPN) can be performed in a number of ways; ADSIEdit, Attribute Editor in ADCU and SETSPN.EXE. I like creating things that can be easily repeated in other environments (dev, verification, production, …) so I prefer creating BAT-files using SETSPN.EXE, but YMMV.

Side note 2: Now I also realize why the guides around Kerberos configuration tell you to first set the SPNs and then enable Delegation on the service accounts…

Below are some screenshots from my virtual development enviornment to illustrate the topic below. The first screenshot show my service account with no SPN set.


The next screenshot show that if you turn on Advanced Features in ADCU you can edit object attributes directly in the Properties dialog, using the Attribute Editor tab. You can either enter this value directly in this dialog or you can run SETSPN.EXE http/lom KRYSS\sqlservice.


So when you set at least one SPN for the object you get the Delegation tab. Nice and easy!