Microsoft KB Archive/325894

= HOW TO: Configure Computer Accounts and User Accounts So That They Are Trusted for Delegation in Windows Server 2003 Enterprise Edition =

PSS ID Number: 325894

Article Last Modified on 12/11/2003

-

The information in this article applies to:


 * Microsoft Windows Server 2003, Enterprise Edition

-



This article was previously published under Q325894



IN THIS TASK

 * SUMMARY
 * How to Configure a Computer Account So That It Is Trusted for Delegation
 * In a Windows Server 2003 Enterprise Edition Domain
 * In a Microsoft Windows 2000 Native Domain
 * How to Configure a User Account So That It Is Trusted for Delegation
 * In a Windows Server 2003 Enterprise Edition Domain
 * In a Windows 2000 Native Domain
 * How to Assign User Rights for the Local Computer
 * Understanding Delegation



SUMMARY
This article describes how to configure accounts so that they are trusted for delegation in a Windows Server 2003 Enterprise Edition environment. A security setting determines which users can set the Trusted for Delegation settings on a user or computer object.

The user or object that is granted the Trusted for Delegation user right must have Write access to the account control flags on the user object or the computer object. A server process that is running on a computer (or under a user context) that is trusted for delegation can access resources on another computer by using a client computer's delegated credentials. A server process can access these resources only if the client's account does not have the Account cannot be delegated account control flag set.

The Trusted for Delegation user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.

CAUTION: If you do not use the Trusted for Delegation user right or the Trusted for Delegation settings correctly, you can make the network vulnerable to sophisticated attacks that use Trojan horse programs to impersonate incoming clients and use their credentials to gain access to network resources. By default, the Trusted for Delegation right is assigned to the Administrator account on a domain controller.

back to the top

In a Windows Server 2003 Enterprise Edition Domain

 * 1) Click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.
 * 2) In the console tree, click Computers.
 * 3) Right-click the computer that you want to configure, and then click Properties.
 * 4) Click the Delegation tab, click Trust this computer for delegation to any service (Kerberos only), and then click OK.

In a Microsoft Windows 2000 Native Domain

 * 1) Click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.
 * 2) In the console tree, click Computers.
 * 3) Right-click the computer that you want to configure, and then click Properties.
 * 4) Click the General tab, click Trust this computer for delegation, and then click OK.

NOTE: For security reasons, do not allow servers on the enterprise network to perform delegation at will on behalf of any network connection.

back to the top

In a Windows Server 2003 Enterprise Edition Domain

 * 1) Click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.
 * 2) In the console tree, click Users.
 * 3) Right-click the user that you want to configure, and then click Properties.
 * 4) Click the Delegation tab, click Trust this user for delegation to any service (Kerberos only), and then click OK.

Note The Delegation tab will only appear if you are using a domain that is raised to Windows Server 2003 functional domain level. Otherwise, the Microsoft Windows 2000 scenario applies.

In a Microsoft Windows 2000 Native Domain

 * 1) Click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.
 * 2) In the console tree, click Users.
 * 3) Right-click the user that you want to configure, and then click Properties.
 * 4) Click the Accounts tab, click Account is trusted for delegation, and then click OK.

NOTE: For security reasons, do not allow servers on the enterprise network to perform delegation at will on behalf of any network connection.

If the Delegation tab does not appear, you must first register a Service Principal Name (SPN) for the account by using the Setspn utility that is included in the Support Tools pack, which is located on your CD-ROM or on the Resource Kit. Delegation is only intended to be used by a service account, which does not have a registered SPN, instead of a regular user account, which typically does not have an SPN.

back to the top

How to Assign User Rights for the Local Computer
 Click Start, click Control Panel, double-click Administrative Tools, and then double-click Local Security Policy. In the console tree, go to the following location, and then click User Rights Assignment:

Security Settings/Local Policies/User Rights Assignments

 In the details pane, double-click the user right that you want to change. Click Add User or Group, add the user or group, and then click OK.

back to the top

Understanding Delegation
Delegation is the act of allowing a service to impersonate a user account or a computer account to access resources throughout the network. In an N-tier program, the user authenticates to a middle-tier service. The middle-tier service authenticates to a back-end data server on behalf of the user.

Delegation depends on the middle-tier service that is being trusted for delegation. If the server is set to Trusted for delegation, the service can impersonate a user to use other network services. For example, a user runs a Web program and that Web program uses several different SQL databases that exist on different servers. When the user authenticates to a server (the front-end server) that is trusted for delegation, the server can access the SQL database on the other servers as the user. Because the server that is trusted for delegation has the user's ticket-granting ticket (TGT), it can authenticate to any service on the network. In Windows Server 2003, you can control the services that can impersonate the user by using constrained delegation.

back to the top

Additional query words: kbactivedirectory

Keywords: kbHOWTOmaster KB325894

Technology: kbWinServ2003Ent kbWinServ2003EntSearch kbWinServ2003Search

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© 2004 Microsoft Corporation. All rights reserved.