Conclusion (Kerberos Protocol Transition and Constrained Delegation)
Applies To: Windows Server 2003 with SP1
Delegation is a security pattern that occurs frequently in n-tier applications. At the time when this document was published, Kerberos was the only widely-adopted authentication protocol that possessed the delegation property. In this document, the Kerberos extensions on computers that are running Windows Server 2003 are discussed. The document also describes how the extensions allow many applications to use the authentication protocol. The sample code illustrates how n-tier Web services and applications can use the new feature.
Protocol transition provides application designers with increased flexibility and security by enabling applications to support different authentication mechanisms at the user authentication tier, and by switching to the Kerberos protocol for security features, such as mutual authentication and constrained delegation, in the subsequent application tiers.
Constrained delegation gives administrators the ability to specify and enforce application trust boundaries by limiting the scope where application services can act on a users behalf. This flexibility to constrain a services authorization rights helps improve application security design by reducing the opportunities for compromise by untrusted services.