Configuring constrained delegated authentication for CCS

Configuration of Constrained delegation requires a Service Principal Name (SPN) for the Symantec CCS ADLDS instance which is created during the installation of the Directory Server. Ensure that the Constrained delegation is configured after installation of the Directory Server.
You need to configure constrained delegation only if your deployment contains a standalone installation of the Directory Server.
  1. To configure a service account for constrained delegation
  2. Open the properties for the Application Server’s service account and make the following changes on the
    Delegation
    tab:
    • Select
      Trust this user for delegation to specified services only
      . By default the user is set to
      Do not trust this user for delegation
      .
    • Select
      Use any authentication protocol
      .
    • Under Services to which this account can provide delegated credentials do the following:
      • Click
        Add
        and type in the name of the computer where DSS is installed. From the list of services, select the service, LDAP that has the same port number as the port where the ADAM instance is running and click
        OK
        .
      • Click
        Add
        and type the name of the service account for which the DSS service is running. You can view the custom SPN that was created for the DSS before installation. Select the service and click
        OK
        .
      • Click
        Expand
        to verify that both the short names and long names are present.
  3. On the Application Server computer, open the Local Security Policy editor.
    Navigate to
    Under Local Policies > User Rights Assignment
    and grant the privilege,
    Act as part of the operating system
    to the Application Server.
    If you use the constrained delegation and choose not to store passwords with CCS, then you need to give the service user the
    Act as part of the operating system
    privilege. This privilege is required by S4U to impersonate an account. If you choose to store the password with CCS, then this privilege is not required.
  4. After the product is installed, configure delegation for the Application Server in the following manner:
    • In the CCS Console, go to
      Settings > System Topology > Map View
      or go to
      Settings > System Topology > Grid View
      .
    • Select the Application Server component, and right-click on
      Edit Settings
      .
    • In the
      Edit Settings
      dialog box, select the
      Application Server > Basic
      option in the left pane.
    • For the
      Authentication type
      option, select
      Use controlled delegation of security rights
      in the right pane.
    • Click
      Save
      .
  5. Restart the DSS and the Application Server computer so that the delegation settings can take effect.