Oct 27, 2007

More on Kerberos

By default, the Microsoft® Windows® 2000 operating system uses the Kerberos protocol for authentication. This How To describes how to configure Kerberos delegation, a powerful feature that allows a server, while impersonating a client, to access remote resources on behalf of the client.

Delegation is a very powerful feature and is unconstrained on Windows 2000. It should be used with caution. Computers that are configured to support delegation should be under controlled access to prevent misuse of this feature. Windows .NET Server will support a constrained delegation feature.

When a server impersonates a client, Kerberos authentication generates a delegatelevel token (capable of being used to respond to network authentication challenges from remote computers) if the following conditions are met:

  1. The client account that is being impersonated is not marked as sensitive and cannot be delegated in Microsoft Active Directory® directory service.
    1. Log onto the domain controller using an administrator account.
    2. On the taskbar, click the Start button, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
    3. Under your domain, click the Users folder.
    4. Right-click the user account that is to be delegated, and then click Properties.
    5. Click the Account tab.
    6. Within the Account options list, make sure Account is sensitive and cannot be delegated is not selected.
    7. Click OK to close the Properties dialog box.
  2. The server process account (the user account under which the server process is running, or the computer account if the process is running under the local SYSTEM account) is marked as trusted for delegation in Active Directory.
    This procedure ensures that the account used to run the server process (the process that performs impersonation) is allowed to delegate client accounts. You must configure the user account under which the server process runs, or if the process runs under the local SYSTEM account, you must configure the computer account. Perform the appropriate procedure that follows, depending on if your server process runs under a Windows account or a local SYSTEM account.
    1. To confirm that the server process account is trusted for delegation if the server process runs under a Windows user account
      1. Within the Users folder of Active Directory Users and Computers, right-click the user account that is used to run the server process that will impersonate the client, and then click Properties.
      2. Click the Account tab.
      3. Within the Account options list, click Account is trusted for delegation.
    2. To onfirm that the server process account is trusted for delegation if the server process runs under the local SYSTEM account
      1. Right-click the Computers folder within Active Directory Users and Computers, and then click Properties.
      2. Right-click the server computer (where the process that impersonates the client will be running), and then click Properties.
      3. On the General page, click Trust computer for delegation.