How to configure Kerberos Constrained Delegation for Remote Desktop Services Single Sign On?

Question

Let me first tell you about our setup. We have the following at our client system.

2 Servers with Gateway/Broker/RDweb/RD Licensing/Application Proxy Service ( RDG01.domain.local and RDG02.domain.local)

4 Servers with session Host role ( RDH01.domain.local, RDH02.domain.local,RDH03.domain.local and RDH04.domain.local)

2 Servers with User Profile Servers using Fslogix (RFS01.domain.local and RFS02.domain.local)

1 Server with SQL Express for RD Broker HA (RSQL01.domain.local)

The client system is in Hybrid mode. Local domain is domain.local and office 365 domain is externaldomain.co.uk.

gateway name in RDS is rdsgatway.externaldomain.co.uk and broker name is rdsbroker.externaldomain.co.uk in the RDS configuration.

We need to understand how to set up Kerberos Constrained Delegation for RDS. We have a service account name svc-iisappproxy. We need to know the SPNs required for this account and how to go about Kerberos Constrained Delegation so we achieve SSO for RDS. We intend to use the normal RDweb via Edge in IE mode. We havent done much in HTML5 URL except for configuration. At the moment we have a working setup that opens the application from normal RD web and works with SSO if we disable Credential Guard. But if we enable Credential Guard we get a windows login popup for rdsbroker.externaldomain.co.uk. We have found out the way to get around this is to configure Resource based Kerberos Delegation or Kerberos Constrained Delegation.

What we have tried so far

1. Service account with SPN HTTP/rdsgatway.externaldomain.co.uk, TERMSRV/rdsgatway.externaldomain.co.uk and HTTP/rdsbroker.externaldomain.co.uk
2. Kerberos Delegation was on svc_iisappproxy account to added HTTP and TERMSRV for both the Gateway servers ( RDG01.domain.local and RDG02.domain.local) . We tried "Use any authentication protocol" and "Use Kerberos Only" .
3. Kerberos Delegation on both Gateway Servers ( RDG01.domain.local and RDG02.domain.local) and added svc-iisappproxy account in delegation tab to add the above created SPNs (HTTP/rdsgatway.externaldomain.co.uk, TERMSRV/rdsgatway.externaldomain.co.uk and HTTP/rdsbroker.externaldomain.co.uk). We tried "Use any authentication protocol" and "Use Kerberos Only" .
4. Service account add in RDweb application pool. This allows us SSO on the web. When we open normal RD web on edge in IE mode, we can straight away see the remoteapps. But when we click on any app we get a prompt for password and then the app open. We want to get rid of this windows login prompt.

We need specific instructions for our environment. Please if anyone can help us. I happy to give more details.