Configure Kerberos Delegation (Optional)

If either of these scenarios is true in your environment, you will need to configure Kerberos delegation to the AnyCAGateway DCOM from the Keyfactor Command server hosting the Keyfactor Command Management Portal:

• You wish to use the option in Keyfactor Command to allow management interactions with the Keyfactor Command via Keyfactor Command (e.g. certificate approval or revocation) to be done in the context of the user authenticated to Keyfactor Command rather than in the context of the Keyfactor Command service account under which the application pool is running.
• You wish to use the option in Keyfactor Command to allow enrollment Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). requests to the Keyfactor Command via Keyfactor Command to be done in the context of the user authenticated to Keyfactor Command rather than in the context of the user configured in Keyfactor Command with the Use Explicit Credentials option.

Configuring Kerberos delegation in Active Directory allows the user’s Kerberos credentials to be delegated from the Keyfactor Command server to the AnyCAGateway DCOM to allow the Keyfactor Command server to act on behalf of the user.

If you've opted to run the gateway service as an Active Directory service account, see Configure Delegation When Running the Gateway Service as an Active Directory Service Account for information on configuring delegation.