All you want to know about Kerberos Constrained Delegation (KCD)

Kerberos Constrained Delegation (KCD) is a key technology in our application proxies. It enables single-sign-on (SSO) from the cloud to on-prem applications. With it, users can start work on Office 365, click on a link to on-prem app and continue working on this app with no password prompts. If the user is working from Azure AD Joined machine, she will not be prompted even once!

It is pretty straight forward to configure KCD but as anything good, KCD can also be complex – especially when your on-prem infrastructure is complicated. In order clarify the process and help you troubleshoot the complex scenarios, Mark Grimes from Microsoft Services have written a whitepaper that covers KCD from top to bottom. It includes introduction and explanation on the various technologies, step-by-step guides and easy to use checklists. It demystify topics like cross-forest and cross-domain federation and provide you tools to support your deployment.

You can download the whitepaper from here:


Below are few excerpts from the document.

First, a checklist to use during initial configuration:


This checklist should be used when things go wrong after the initial configuration:


And here are the supported and unsupported multi-forest configurations:

Comments (3)

  1. Anonymous says:

    Web Application Proxy では、KCD(Kerberos Constrained Delegation)という機能を使用して、オンプレミス Active Directory との SSO

  2. Boris S. says:

    thank you for this useful informations in the Whitepaper.
    In chapter 3.4.3 the example should be checked. I think :
    – first row should be … “-Server
    – second row should be Set-ADUser -Identity besvcacct in case of Identity beeing the backend Service account
    Best regards

  3. Hello There, we are trying to get the resource based delegation between two domains to work on Windows Server 2012 R2. we are facing some issues and we randomly get.
    216 KRB ERR : KRB5KDC_ERR_BADOPTION NT Status: Unknown error code 0xc0000413

    any idea if this could be just a but in DC on windows 2012 R2 and that we could make it work on Win Server 2016 ?

Skip to main content