I was publishing the Sharepoint site 2010 with Azure application proxy Server.
I requested to Sharepoint team to make the required changes on Sharepoint Side. We have done configuration & Site is able to accessible from outside, But we when we enabled Single sign on with WIA by setting up SPN we were getting an error.
“Incorrect Kerberos constrained delegation configuration in your on-premises Active Directory.”
Above problem comes when you have misconfigured the SPN.
Solution:
Check the SPN Confiuration with Below cmds.
SetSPN -Q HTTP/portal.domain.com
SetSpn -L “domain\Service account”
Please check the Event on APP proxy server.
We found some event related to delegation, We checked app proxy server’s computer object in AD & hit to Delegation Tab, We found there was no SPN added.
In AD Users and Computers you will need to navigate to the OU that contains the server to which you installed the Application Proxy Connector. Once you locate that computer entry, just right-click on it and select Properties. In the Properties dialog click on the Delegation tab.
You need to add SPN like below Image.
This is how I resolved my issue, Please share your thoughts, How you resolved it.