SharePoint Kerberos Constrained Delegation across domains in a Single Forest

You could be in a situation where you are setting up
Kerberos constrained delegation in multiple domains in a single forest
environment, but it seems did not work well, the client credential could not be
delegated to back-end data source from which you would like to pull the data
from for your business intelligence application such as excel services, visio
graphic services, PerformancePoint services or InfoPath services.

We can delegate user’s credential whose account reside in
user domain to sharepoint application and back-end data source which reside in
the other domain within a single forest. The important fact on this is the

For step-by-step instructions on how to do this, there is a
Microsoft technet documentation which explains this in a very detail instructions,
you can find the document in the following link

I’ve got user in nortwind domain who accessed the sharepoint
and external data in contoso domain using excel service application.

Here’s basically the excel service application which opened
and rendered data successfully. You have to do
data refresh to prove that kerberos delegation is working for you


I could see the user’s credential being delegated to
back-end data source.



The following screen is the error that you might get when you
try to do data refresh and Kerberos constrained delegation has not been setup



SharePoint Kerberos Constrained Delegation across domains in a Single Forest.docx

Comments (1)

  1. BlueSky2010 says:

    Windows Server 2012 Domain Controllers overcomes this issue. Excerpt from this Technet article for anyone interested.

    "In Windows Server 2012, the new resource-based Kerberos constrained delegation can be used to provide constrained delegation when the front-end services and the resource services are not in the same domain."


Skip to main content