I cannot find any definitive guide on configuring a Managed Service Account for KCD. Is it even possible? In articles I have read online, several conflicting values for the userAccountControl were referenced, along with adding SPNs to the msDS-AllowedToDelegateTo attribute.
Once I create an SPN for the MSA, adjust the userAccountControl value, and populate the msDS-AllowedToDelegateTo attribute with the proper SPNs, I configured an AppPool to run as this account. The AppPool will die as soon as site access it attempted. If I open the site settings and test the connection to the site path and appPool it logs an "invalid username or password" entry.
I verified the MSA creation/installation (password/credential) is Ok by configuring a service to utilized the account on the system where it is installed. Service runs fine, starts and stops fine, no failures.
In summary:
Are MSA's supported in a KCD configuration? (Yes or No)
How EXACTLY do I configure the MSA? (userAccountControl value, msDS-AllowedToDelegateTo, etc.)
I've already checked out the most common articles from "the Google" search...
Thanks in advance - mark