Introduction (Kerberos Protocol Transition and Constrained Delegation)

Applies To: Windows Server 2003 with SP1

The number of security threats to Web applications that are deployed on the Internet increase every day. An enterprise that deploys a Web application on the Internet has to deal with security issues, such as denial of service attacks, identity spoofing, unauthorized access to program functions, and so on. You can mitigate certain types of security risks, such as unauthorized access to data, through the process of user authentication and authorization. This document examines the requirements that you can use to authenticate the users of Web applications and discusses how the new extensions to the Kerberos authentication protocol in Microsoft Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition can satisfy these requirements. Note that this document is not a specification of the protocol extensions and, therefore, detailed explanations of the protocol message flows and data structures are outside of the scope of this document. If you are familiar with the features of the extensions and want a summary of the implementation of the extensions, you can skip to the "Summary" section at the end of the document.

This article assumes that you have a basic understanding of the Kerberos authentication protocol and Windows security concepts, such as user privileges and tokens. For a Kerberos protocol primer, see "Exploring Kerberos, the Protocol for Distributed Security in Windows 2000" at the Microsoft Web site (

The sample scenario and sample code in this document assumes some basic knowledge of Microsoft ASP.NET programming.