Enabling Delegated Authentication
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Delegated authentication occurs when a network service accepts a request from a user and assumes that user’s identity in order to initiate a new connection to a second network service.
To enable delegated authentication, you must establish front-end or first-tier servers, such as Web servers, that are responsible for handling client requests, and back-end or n-tier servers, such as large databases, that are responsible for storing information. You can delegate the right to enable delegated authentication to users in your organization in order to reduce the administrative load on your administrators. To delegate this right, assign the Enable computer and user accounts to be trusted for delegation user right to the selected individuals. Users who are assigned the right to enable delegated authentication can assign the Trusted for delegation right to computer and service accounts that are used to serve users information that is stored on back-end servers and must be accessed securely. The user account that is requesting the resource must not be marked as sensitive; marking an account as sensitive explicitly denies the right to delegation.
By establishing a service or computer as trusted for delegation, you enable that service or computer to complete delegated authentication, receive a ticket for the user who is making the request, and then access information for that user. Delegated authentication prevents an attacker who gains control of a front-end server, such as a Web server, from also gaining access to data stored on a back-end server. By requiring that all data be accessed by means of credentials that are delegated to the server for use on the client’s behalf, you ensure that the server cannot be compromised and then used to gain access to sensitive information about other servers.
Delegated authentication is useful for multitier applications that are designed to use single sign-on capabilities across multiple computers. For example, domain controllers are automatically trusted for delegation. If this property is disabled on a domain controller, the Message Queuing service cannot run. Also, if you enable the Encrypting File System on a file server, the server must be trusted for delegation in order to store encrypted files on behalf of users. Delegated authentication is also useful on applications where Internet Information Services (IIS) supports a Web interface to a database running on another computer, such as Outlook Web Access in Exchange, or Web Enrollment Support pages for an enterprise certification authority, if the pages are installed on a separate Web server.
It is recommended that you deny the right to participate in delegated authentication to the computer accounts in Active Directory for computers that are not physically secure, and to domain administrator accounts. Domain administrator accounts have access to sensitive resources and, if compromised, poses a higher risk to your organization.
When computers that are trusted for delegation are compromised by an attacker, the attacker can use them to access data stored on other servers by using the delegated credentials of an authenticated user. Ensure that only secure computers are trusted for delegation, and do not allow the delegation of powerful user accounts, such as administrator accounts. Also, consider applying constrained delegation to computers that are trusted for delegation, to limit the ways in which delegated credentials can be used. In this way, an attacker who has access to the computer has access to only limited services.
For more information about enabling constrained delegation, see "Enabling Constrained Delegation" later in this chapter.
To restrict delegated authentication
In Active Directory Users and Computers, right-click the computer or user account and select Properties.
On the Account tab, under Account Options, select the Account is sensitive and cannot be delegated check box, and click OK.
You can also restrict delegated authentication to prevent the delegation of sensitive user accounts by marking the account as not enabled for delegation. Restrict delegated authentication for accounts that are less secure or that are particularly powerful.