special notes for s4uproxy:

s4uproxy extends SSPI, the cred of ISC caller PROCESS is used 

1) S4UProxy must be on a server

2) must set Trusted-to-Authenticate-for-Delegation (T2A4D) via ldp.exe

   #define UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION 0x1000000

   in the userAccountControl attribute, note ldp.exe only accepts decimal

3) must set Allowed-to-Delegate-to (A2D2) via "delegation tab" after raising
   domain functionality levels