If your site publish rule uses Kerberos Constrained Delegation for authentication delegation, it requires the following values:
1. Create an AD user.
For example, create the user http-delegator
.
2. To generate a Service Principal Name (SPN) for the AD user, using the SetSPN utility and a Windows command prompt, enter the following command:
setspn -A host/<service_name>.<domain> <login_domain>\<ad_user_name>
where
<service_name>
is the name of the service to register
<domain>
is the appropriate domain
<login_domain>
is the domain used with the logon name
<ad_user_name>
is the AD user name
For example: setspn -A host/forti-delegator.dc1.com DC1\http-delegator
You cannot access the delegation settings for a user until it has an SPN.
3. In the properties for the AD user, on the Delegation tab, select Trust this user for delegation to specified services only, and then select Use any authentication protocol.
4. Click Add, and then click Users or Computers to open the Select Users or Computers dialog box.
5. For Enter the object names to select, enter the name of the computer where the web service resides.
You can use the hostname command to retrieve the computer name.
6. Click OK, and then, in the Add Services dialog box, under in the list of available services, select the http item.
7. Click OK.
8. Click OK to close the AD user properties.
9. Use the Ktpass utility to extract a keytab file for the AD user.
Ensure that you generate the keytab file using the SPN you generated for the AD user in step 2.
For complete information about Ktpass, go to the following location:
http://technet.microsoft.com/en-us/library/cc779157(v=ws.10).aspx
Ktpass output the extracted keytab file to the directory of the current user.
For example:
C:\Users\Administrator\test.keytab
10. To upload the keytab file, go to Application Delivery > Site Publish >Keytab File.
11. Click Create New and enter a name to use for the file in the web UI.
12. Click Choose File and then browse to the file to select it, and then click OK to complete the upload.