Follow the steps below to create the trusted user in the Active Directory settings.

  1. Log in to your Domain Controller.
  2. Launch Active Directory Users and Computers and select Advanced Features from the View menu.

  3. Click View and click Advanced Features.
  4. Create a new user as shown below.

  5. Set the password to never expire.
  6. Select the Attribute Editor tab.
  7. Navigate to servicePrincipalName.

  8. Select servicePrincipalName and click Edit.

  9. Type http/trusteduser in the Value to add field and click Add.
  10. Click Apply and OK. The window must close before you open it again (to see the new Delegation tab).
  11. Open the user properties window again and the Delegation tab becomes available.

  12. Select the Delegation tab.

  13. Select Trust this user for delegation to specified services only.
  14. Select Use any authentication protocol.

  15. Add the Real Servers and add http as the service. For SharePoint Apps: You might have to add the namespace published by SharePoint to enable KCD, instead of the actual server FQDNs.
  16. Click Advanced.

  17. Find the servers by name.
  18. Select the Expanded check box.

  19. You can see all servers with both the host name and the FQDN.
    Note: If you have a SharePoint environment that uses distributed name spaces, you must register these name spaces instead of the actual servers hosting the content.
  20. For SharePoint, the settings may need to be configured as outlined in the above screenshot.
Note: The trusted user account must be a member of the Windows Authorization Access Group. This is required to properly determine a user’s group membership and therefore effective permissions over a resource. If a trusted user account is not a member of the Windows Authorization Access Group, the KCD authentication protocol will not confirm the identity of the trusted users who are attempting to access resources on a network.