Microsoft KB Archive/262291

= DOC: Windows 2000 Supports Delegations with Kerberos Authentication Service =

Article ID: 262291

Article Last Modified on 2/9/2006

-

APPLIES TO


 * Microsoft COM+ 2.0 Standard Edition, when used with:
 * Microsoft Windows 2000 Standard Edition

-



This article was previously published under Q262291



SUMMARY
In the context-sensitive help of DCOMCNFG.exe, on the Default Properties tab, the drop-down list for Default Impersonation Level states that &quot;The Windows 2000 authentication service does not support Delegate&quot;. Microsoft has confirmed that this is a documentation error. Windows 2000 implements the Kerberos v5 authentication protocol, and this authentication service supports delegate level impersonation.



MORE INFORMATION
COM security is based on the security that is provided by Windows NT, Windows 2000, and the underlying remote procedure call (RPC) security mechanisms. COM security relies on authentication and authorization: authentication is the process that verifies a caller's identity, and authorization is the process that determines whether a caller is authorized to perform the requested task.

In the COM security model, servers manage objects, and clients access objects through servers. Through impersonation, servers can attempt to access resources or other servers on the client's behalf. The client can set an impersonation level that determines to what extent the server can act as the client.

On Windows 2000, there are four impersonation levels:
 * Anonymous
 * Identify
 * Impersonate
 * Delegate

Prior to Windows 2000, &quot;identify&quot; and &quot;impersonate&quot; were the only supported impersonation levels. On Windows 2000, &quot;delegate&quot; level impersonation is supported when you use the Kerberos authentication service.

Steps to Reproduce Behavior

 * 1) Run DCOMCNFG.exe.
 * 2) On the Default Properties tab, click to highlight the Default Impersonation Level drop-down list.
 * 3) Press the F1 key. The last line of the context-sensitive help states that &quot;The Windows 2000 authentication service does not support Delegate&quot;.

