Microsoft KB Archive/283201

= How To Use Delegation in Windows 2000 with COM+ =

Article ID: 283201

Article Last Modified on 2/9/2006

-

APPLIES TO


 * Microsoft COM+ 1.0

-



This article was previously published under Q283201



SUMMARY
By default, Microsoft Windows 2000 uses the Kerberos protocol for authentication. The Kerberos protocol supports delegation and resolves an NTLM authentication limitation from Microsoft Windows NT 4.0. This article explains how to use delegation in Windows 2000 with COM+.

IMPORTANT Delegation is a very powerful feature and should be used with caution. Computers that are configured to support delegation should be under controlled access to prevent misuse of this feature.



MORE INFORMATION
Kerberos authentication generates a delegate-level token, as long as the following two conditions are met:
 * 1) The account that you are trying to delegate is not marked &quot;sensitive and cannot be delegated&quot; in the Active Directory.
 * 2) The principal account against which you are authenticating (the user account under which the server process is running) is marked &quot;Trusted for delegation&quot; in the Active Directory.

Steps to Mark the User Account &quot;Trusted for Delegation&quot;

 * 1) On the Domain controller, click Start, point to Programs, point to Administrative Tools, and click Active Directory Users and Computers.
 * 2) Under your domain, click the Users folder.
 * 3) Under your user account, click Properties.
 * 4) On the Account tab, select the Trusted for delegation check box.
 * 5) Under the account that you are trying to delegate, clear the Account is sensitive cannot be delegated check box.

Steps to Mark the Computer Account &quot;Trusted for Delegation&quot;
If the server process is running under a system account, the principal account is the computer account in the Active Directory. Therefore, you must make sure that you select the Trusted for delegation check box for the computer account in the Active Directory. To do this, follow these steps:
 * 1) On the Domain controller, click Start, point to Programs, point to Administrative Tools, and click Active Directory Users and Computers.
 * 2) Under your domain, click the Computers folder.
 * 3) Under your computer account, click Properties.
 * 4) On the General tab, select the Trusted for delegation check box.

When to Delegate User Credentials
Scenario 1

A typical scenario in which you may want to delegate user credentials is if a computer (Computer A) that has Microsoft Internet Explorer installed requests Active Server Pages (ASP) pages from a Microsoft Internet Information Server (IIS) Web server on a second computer (Computer B), and the ASP pages invoke Component Object Model (COM)/COM+ components on a third computer (Computer C). You want the COM/COM+ application to see the identity of the user that is logged on to the first computer.

For delegation to work in this scenario, clear the Account is sensitive and cannot be delegated check box for User A, and select the Trusted for delegation check box for Computer B. After you configure these settings for User A and Computer B, the COM/COM+ application on Computer C can see the identity of the user who is logged on to Computer A.

Scenario 2

You may also want to delegate the user credentials when a COM client application on a computer (Computer A) calls a COM+ application or COM server on another computer (Computer B), which calls the CoImpersonateClient function to use client credentials to invoke another COM+ application or COM server components on a third computer (Computer C).

For this scenario to work, set the impersonation level on Computer A to delegate, clear the Account is sensitive and cannot be delegated check box for User A in the Active Directory, and select the Trusted for delegation check box for User B in the Active Directory. When you configure these settings, the remote process on Computer C can impersonate the client's identity. In this way, you can chain delegation to other computers in the call chain.

Note These steps assume that you are using Windows 2000 and Active Directory, as well as that all user and computer accounts are in same domain or trusted domain.

