SteelHead™ Deployment Guide - Protocols : RiOS Version Compatibility with Domains and Domain Relationships : Configuring Constrained Delegation for Delegation Mode
  
Configuring Constrained Delegation for Delegation Mode
When you use Delegation mode to optimize SMB signed or encrypted MAPI traffic, additional configuration (beyond joining the server-side SteelHead to a domain) is required because Delegation mode uses the Active Directory constrained delegation feature. Configuration is required on both the server-side SteelHead and in the Windows domain that it joins, as well as in any other Windows domain in which there are servers you want optimized by the same server-side SteelHead.
Constrained delegation is an Active Directory feature that allows configured services to obtain security related information for a user. Configuring constrained delegation requires the creation of a special delegate user account in the Windows domain. The account allows the delegate user the privilege of obtaining security information for use with specific applications (like CIFS and MAPI), and then configuring the delegate user credentials on the server-side SteelHead.
For instructions on the SteelHead and Windows domain configuration for constrained delegation, see the SteelHead Management Console User’s Guide.
In RiOS v7.0 or later, any new delegation user account you add to the SteelHead configuration is automatically saved in the secure vault.
In RiOS v7.0 or later, the secure vault is locked on a new SteelHead. The secure vault is also locked on a SteelHead that is upgraded to RiOS v7.0 or later. You must unlock the secure vault to view, add, remove, or edit any delegate user configuration details that are stored on the SteelHeads.
In RiOS v6.5, the delegate user details are stored in an obscured form within the general SteelHead configuration database. When upgrading from RiOS v6.5 to v7.0 or later, any preexisting delegate user account information is not automatically moved to the secure vault. Instead, you must use the following CLI command to manually migrate the information:
protocol domain-auth migrate
Use the following command to confirm whether the credentials have been migrated:
show protocol domain-auth credentials location