Kerb-003 Services accounts and Hosts pre-requisites
We need now to define all the accounts and hosts that will be used to access by users to the different resources. It’s necessary before to publish all the SPN and delegations.
You must remember at this step that Kerberos need to have only one service publication corresponding to a resource owned by one service domain user (or computer).
For example you must create 2 different hosts for an HTTP access to 2 web applications hosted on same server if there will be owned by 2 different users (as sharepoint and IIS datapump site in our configuration).
Moreover, there are 2 technical pre-requisites you must keep in your mind before to create any host or service user in your active directory.
The first pre-requisites is that all your BI hosts MUST be serviceDNSNameType A (and not a CNAME alias), because Kerberos permits only to use hosts.
Please refer to http://technet.microsoft.com/en-us/library/cc755804(WS.10).aspx
The second pre-requisites is that all the service users that will be used in your environment must have the property userAccountControl = 16843264 (in decimal)
UserAccountControl is a property of the account that can be changed trough adsiedit console. This property means that users can delegate resources.
Please refer to this excellent blog to understand this point:
http://blogs.technet.com/ad/archive/2008/05/09/trusted-for-delegation-in-services-for-user-s4u.aspx