Article ID: 936628 - View products that this article applies to.
When you try to configure constrained delegation on a computer that is running Microsoft Windows Server 2003, the service principal name (SPN) does not appear in the list of services that can be delegated to an account.
This problem occurs because the Add Services dialog box requires that the service principal name is validated before it is displayed to the administrator. However, the validation process is unsuccessful when a service principal name uses a name string as an instance identifier.
Note A name string may be used to determine a unique application instance or a unique service instance among multiple instances that are running on the server.
Service principal names that use a port number are not affected.
To work around this problem, manually edit the msDS-AllowedToDelegateTo attribute in the Active Directory directory service to specify the service principal name.
For example, consider the following scenario:
Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.
Service principal names have one of the following formats.
Service/InstanceIn this format, Service specifies the application or the service that is associated with the service principal name. Instance specifies the server on which the application or service is installed.
Service/Instance:PortIn this format, the instance is better identified by appending a port number to the server name. This format lets you install multiple application instances or multiple service instances on a server. Each instance can run under a different set of credentials.
Service/Instance:NameIn this format, name strings are used instead of port numbers. You can use this format when an application supports named instances. One such application is SQL Server 2005 Analysis Services. This application constructs a service principal name that resembles the following:
Article ID: 936628 - Last Review: October 11, 2007 - Revision: 1.3