The error “The computer must be trusted for delegation and the current user account must be configured to allow delegation” occurs because of how Windows handles Kerberos delegation and authentication over VPNs. This happens because the domain user hasn’t properly authenticated against the domain controller (DC) yet.
Why This Happens
-
Initial Authentication Issue:
- When a domain user logs into a computer for the first time, their profile is created, and they authenticate to the DC.
- Over a VPN, this initial authentication may fail if the computer cannot directly communicate with the DC.
-
Kerberos Delegation:
- The error indicates that Kerberos delegation isn’t configured for the computer or the user, and delegation might be required to establish the VPN connection or authenticate services.
Steps to Resolve
**Be careful when using Registry Editor as you can corrupt your system.
- Press start and enter regedit.exe, press enter to open Registry Editor.
- Go to HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Protect\Providers\df9d8cd0-1501-11d1-8c7a-00c04fc297eb
- Right click and select new -> DWORD (32-bit) Value
- Name the DWORD “ProtectionPolicy”
- Right click and select Modify…
- Enter 1 as the value data and press OK to save.
- The error indicates that Kerberos delegation isn’t configured for the computer or the user, and delegation might be required to establish the VPN connection or authenticate services.