Configuring Constrained Delegation for Kerberos (IIS 6.0)
Constrained delegation, which is new in Windows Server 2003, is intended to be used by service accounts, which should have registered Service Principal Names (SPNs), instead of by a regular user account, which typically does not have an SPN.
The Setspn.exe command-line utility allows you to read, modify, and delete SPNs for an Active Directory property. Setspn.exe is available in the Support Tools pack located on your Windows Server 2003 CD-ROM.
You must be a member of the Administrators group on the local computer to run scripts and executables. As a security best practice, log on to your computer by using an account that is not in the Administrators group, and then use the runas command to run your script or executable as an administrator. At a command prompt, type runas /profile /User:MyComputer\Administrator cmd to open a command window with administrator rights and then type cscript.exeScriptName (include the script's full path and any parameters).
You must be a domain administrator to set an SPN.
To configure constrained delegation
If you register duplicate SPNs accidentally, you can use Setspn.exe to delete the duplicate SPN. For more information about Setspn.exe syntax, see Setspn Syntax.
If you are configuring servers running IIS 6.0 in a Windows 2000 Server domain, you can use either the version of Setspn.exe that comes with Windows Server 2003 or the version that comes with Windows 2000 Server.