Configure Windows Server 2022 to be trusted for delegation

In Windows Server, delegation is basically used when an account needs to impersonate another user. We can easily understood it with a real-time example like front-end webservers can impersonate users when accessing backend databases and provides seamless access to data users are allowed to view or edit. Windows Server Active Directory (AD) provides delegation for scenarios like this. In this guide, we’ll see how to configure Windows Server 2022 to be trusted for delegation.

So basically when you convert the local server into functional server, that server will be trusted for delegation using Kerberos protocol. However, you can always change this setting as per your requirement. Additionally, you can apply a new setting for the new servers/computers you add to the AD. On the newly released Windows Server 2022, you can configure different levels of delegation:

No delegation (default)
Unconstrained delegation*
Constrained delegation (Use Kerberos Only Protocols)
Constrained delegation (Use any authentication protocol)*

In above list, * marked levels are not recommended for practice.

The Kerberos delegation can be used to enable an application to access resources hosted on a different server. With Server 2022 or later, we’ve resource-based constrained delegation that improves on the constrained delegation model by removing the dependency on SPNs, the need for domain admin rights, allows the resource owner to control delegation, and provides for cross-domain delegation. It works on computer accounts, user accounts, and service accounts.

Let us see how to configure Windows Server 2022 to be trusted for delegation.