Enabling Constrained Delegation

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Constrained delegation allows administrators to specify particular services from which a computer that is trusted for delegation can request resources. By using constrained delegation, you can prevent attackers who compromise a server from accessing resources beyond the limited scope of that server’s range.

Before you enable constrained delegation, isolate critical data that you must keep secure from data to which users require frequent access. For example, if your organization maintains an e-commerce Web site, you might choose to isolate customer credit cards numbers, internal accounting, or human resources information from order status information that customers access frequently.

To enable constrained delegation

  1. In Active Directory Users and Computers,right-click the computer account and select Properties.

  2. On the Delegation tab, click Trust this computer for delegation to specified services only.

  3. Select Use Kerberos only,or select Use any authentication protocol.

  4. Click Add and, in Add Services, click Users and Computers.

  5. In Add Services, select the service or services that are trusted for delegation, and click OK.

You can further restrict the scope of delegation that is permitted, for example to disable delegation for highly sensitive accounts such as administrator accounts.

To restrict delegation

  1. In Active Directory Users and Computers, right-click the user account and select Properties.

  2. Select the Sensitive attribute check box for the user account, and click OK.