Summary (Kerberos Protocol Transition and Constrained Delegation)
Applies To: Windows Server 2003 with SP1
This section summarizes and defines some of the key points for the new protocol extensions.
The following items summarize the protocol transition implementation details that are described in this document:
The protocol transition extension can be initiated in two ways:
Programmatically through the LsaLogonUser function or the WindowsIdentity class object. This approach is recommended when the initial user-authentication mechanism is not one of Windows-integrated authentication protocols. The process must have the Act as part of the operating system privilege for the function to create an impersonation-level token. If the process does not have the Act as part of the operating system privilege, an identification-level token is created.
Using existing Windows-integrated authentication protocols for the initial user logon procedure with credentials, and using Kerberos protocol transition for subsequent user authentication to other services. The Kerberos SSP initiates the protocol transition extension if the user token that you created for initial logon is an impersonation-level token.
You must run the operating system process that initiates protocol transition on a computer that is running Windows Server 2003.
You can use protocol transition both in and across Active Directory forests.
When you use protocol transition in an Active Directory forest, all domain controllers that are located in the user and service accounts trust path and that are used for the protocol transition process must be running Windows Server 2003. To meet this requirement, use one of the following methods:
Upgrade all of the domain controllers that are in the domain that is participating in protocol transition to computers that are running Windows Server 2003. This approach requires that all of the domain controllers in the domain are running Windows Server 2003.
Upgrade all of the domain controllers in the Active Directory sites that are participating in protocol transition to computers that are running Windows Server 2003. This approach does not require that all domain controllers that are in the domain are running Windows Server 2003. This approach is recommended if you cannot upgrade all of the domain controllers in the domain to Windows Server 2003, and if you can isolate the applications that require the protocol transition extension to a certain number of Active Directory sites for which you can upgrade all of the domain controllers.
When you use protocol transition across Active Directory forests, both forests must be operating at the Windows Server 2003 forest functional level and two-way forest trust must be established between the forests.
The following items summarize the constrained delegation implementation details that are described in this document:
The constrained delegation extension is affected by the following domain policies that are set in Active Directory:
The requesting service must be trusted for constrained delegation (the T2A4D flag must be set for the requesting service) if Kerberos is not used as the initial user authentication protocol.
The requesting service must be authorized to delegate to the target service (the target service must be on the requesting services A2D2 list).
You cannot use constrained delegation between services whose accounts are in different domains. All domain controllers in the domain must be running Windows Server 2003, and the domain must be operating at the Windows Server 2003 functional level. The accounts of users accessing the services do not have to be in the same domain as the services.