All you want to know about Kerberos Constrained Delegation (KCD)


Kerberos Constrained Delegation (KCD) is a key technology in our application proxies. It enables single-sign-on (SSO) from the cloud to on-prem applications. With it, users can start work on Office 365, click on a link to on-prem app and continue working on this app with no password prompts. If the user is working from Azure AD Joined machine, she will not be prompted even once!

It is pretty straight forward to configure KCD but as anything good, KCD can also be complex – especially when your on-prem infrastructure is complicated. In order clarify the process and help you troubleshoot the complex scenarios, Mark Grimes from Microsoft Services have written a whitepaper that covers KCD from top to bottom. It includes introduction and explanation on the various technologies, step-by-step guides and easy to use checklists. It demystify topics like cross-forest and cross-domain federation and provide you tools to support your deployment.

You can download the whitepaper from here: https://aka.ms/KCDPaper

 

Below are few excerpts from the document.

First, a checklist to use during initial configuration:

 

This checklist should be used when things go wrong after the initial configuration:


 

And here are the supported and unsupported multi-forest configurations:

Comments (2)

  1. Anonymous says:

    Web Application Proxy では、KCD(Kerberos Constrained Delegation)という機能を使用して、オンプレミス Active Directory との SSO

  2. Boris S. says:

    Hi,
    thank you for this useful informations in the Whitepaper.
    In chapter 3.4.3 the example should be checked. I think :
    – first row should be … “-Server dc.contoso.com
    – second row should be Set-ADUser -Identity besvcacct in case of Identity beeing the backend Service account
    Best regards
    Boris

Skip to main content