Policy

Enable Delegated Managed Service Account logons

This policy setting enables or disables delegated managed service account logons for this machine. If you enable this policy setting, delegated managed service account logons will be supported by the Kerberos client. Note that this policy has certain prerequites. The prerequisites and the directions to create a new delegated managed service account can be found at https://go.microsoft.com/fwlink/?linkid=2250379. If you disable or do not configure this policy setting, delegated managed service account logons will not be supported.

Policy
Pack Microsoft Windows
Category System / Kerberos
Policy ID ad7632f4067b
Internal name DelegatedMSAEnabled

Registry

Copy registry mappings

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\DelegatedMSAEnabled (enabled) = 1
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\DelegatedMSAEnabled (disabled) = 0
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\DmsaRealms

Policy notes

This policy setting enables or disables delegated managed service account logons for this machine. If you enable this policy setting, delegated managed service account logons will be supported by the Kerberos client. Note that this policy has certain prerequites. The prerequisites and the directions to create a new delegated managed service account can be found at https://go.microsoft.com/fwlink/?linkid=2250379. If you disable or do not configure this policy setting, delegated managed service account logons will not be supported.

Related policies

Allow retrieving the Azure AD Kerberos Ticket Granting Ticket during logonAlways send compound authentication firstConfigure hash algorithms for certificate logonDefine host name-to-Kerberos realm mappingsDefine interoperable Kerberos V5 realm settingsDisable revocation checking for the SSL certificate of KDC proxy serversFail authentication requests when Kerberos armoring is not available