Kerberos Constrained Delegation (KCD) is a key technology in our application proxies. It enables single-sign-on (SSO) from the cloud to on-prem applications. With it, users can start work on Office 365, click on a link to on-prem app and continue working on this app with no password prompts. If the user is working from Azure AD Joined machine, she will not be prompted even once!
It is pretty straight forward to configure KCD but as anything good, KCD can also be complex – especially when your on-prem infrastructure is complicated. In order clarify the process and help you troubleshoot the complex scenarios, Mark Grimes from Microsoft Services have written a whitepaper that covers KCD from top to bottom. It includes introduction and explanation on the various technologies, step-by-step guides and easy to use checklists. It demystify topics like cross-forest and cross-domain federation and provide you tools to support your deployment.
You can download the whitepaper from here: http://aka.ms/KCDPaper
Below are few excerpts from the document.
First, a checklist to use during initial configuration:
This checklist should be used when things go wrong after the initial configuration:
And here are the supported and unsupported multi-forest configurations:
