Delegating authentication
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Delegating authentication
Delegation is the act of allowing a service to impersonate a user account or computer account in order to access resources throughout the network. When a service is trusted for delegation, that service can impersonate a user to use other network services.
For more information about delegation, see "Designing an Authentication Strategy" at the Microsoft Windows Resource Kits Web site.
To set up delegation on a computer, the following conditions must be met:
The account doing the delegation must be set to Trusted for delegation to any service or Trusted for delegation to specified services only.
The account that the service is delegating for must not have the Account is sensitive and cannot be delegated option chosen.
An administrator must have the Enable computer and user accounts to be trusted for delegation privilege on the computer in order to enable delegation.
For more information about how to allow users or computers to be trusted for delegation, see Authentication Protocol How To....
Differences in Windows Server 2003 family delegation
Windows 2000 | Members of the Windows Server 2003 family |
---|---|
Delegation requires the Kerberos authentication protocol. |
Delegation can be used when the client authenticates to the service using protocols other then Kerberos because of a new feature of the Windows Server 2003 family, Protocol Transition. |
The Key Distribution Center (KDC) embeds a copy of the user's ticket-granting ticket (TGT) inside the service ticket that is sent to the server. With this TGT, the server that has been trusted for delegation can request service tickets for the user to any other service on the network. |
A ticket-granting ticket (TGT) is not needed. With protocol transition, a service can use a service ticket for delegation. |
Delegation allows the server to connect to any resource in the domain on behalf of the client. |
An administrator can specify which Service Principal Names (SPNs) an account is able to delegate to with constrained delegation. |
Constrained delegation
Constrained delegation is a new option and can only be used on members of the Windows Server 2003 family. With this option, the administrator can specify which Service Principal Names (SPNs) an account is able to delegate to. A service can be trusted for delegation, but that trust can be limited to a select group of services explicitly specified by a domain administrator.
In a Windows Server 2003 domain, there are three options to consider in trusting a computer for delegation:
Do not trust this computer for delegation. This option was available in Windows 2000 and is the default setting for members of the Windows Server 2003 family.
Trust this computer for delegation to any service (Kerberos only). This option was available in Windows 2000. This setting is only as secure as the service and the actions of all its administrators. When this option is selected on a computer, all services under the Local System account on the computer will be trusted for delegation. This means an administrator on that computer may install any service and then that service will have the ability to access any network resource by impersonating a user.
Trust this computer for delegation to specified services only. This is a new feature for the Windows Server 2003 family, and it is commonly referred to as constrained delegation. With constrained delegation, the administrator can specify which Service Principal Names (SPNs) this account is able to delegate to. If an application requires delegation for best functionality, this is the most secure option. Delegation for specified services allows an administrator to choose what services on the network can be delegated to by choosing a specific service or computer account. By only allowing delegation to specific services, an administrator can control what network resources the service or computer can use.
For more information on functional levels, see Domain and forest functionality.
For information on about configuring constrained delegation, see
Allow a computer to be trusted for delegation for specific services
Allow a user to be trusted for delegation for specific services
For information on about configuring delegation, see