Delegation of Authentication

In Windows NT, a service could impersonate its clients only to gain access to resources on the computer where the service process was running. In Windows 2000, a service can impersonate its clients not only when it gains access to resources on the service's computer but also when it gains access to resources on other computers. This is because the Kerberos authentication protocol supports delegation of authentication.

Delegation works only under the following conditions:

• The computers that are hosting the client process, the service process, and processes for any back-end services must all be running Windows 2000 in a Windows 2000 domain.
• The client's user account must be enabled for delegation.
• The service's account must be enabled for delegation.

To configure a user account for delegation, right-click the User object in Active Directory Users and Computers. Then click Properties and then the Account tab. In the Account options list, look for the option Account is sensitive and cannot be delegated; make sure this option is not checked.

How you configure the service account depends on whether the service runs under a computer's Local System account or under its own domain user account. If the service is configured to run under the Local System account, the computer where the service runs must be trusted for delegation. To configure a computer account as trusted for delegation, right-click the Computer object in Active Directory Users and Computers, click Properties and then the General tab. Select the Trust computer for delegation check box.

Caution

When you trust a computer for delegation, you enable delegation for all services that run under the Local System account on the computer. If an unwary administrator installs an untrusted service on the computer and configures it to run as Local System, it too is going to be able to gain access to network resources while impersonating other users. A better practice is to configure services that use delegation to run under their own domain user accounts managed by domain administrators.

If the service is configured to run under its own domain user account, the user account of the service must be enabled to act as a delegate. To configure the user account of a service, right-click the User object, click Properties, and then click the Account tab. In the Account options list, check the option Account is trusted for delegation.

© 1985-2000 Microsoft Corporation. All rights reserved.