****
*
*
*
*







*
*
                                      
*
*
Windows Server



    

Delegation    

*
*

*
*

Delegation



Jan
11

Delegation

In distributed systems, it is typical for one server to call another server to accomplish a task for a client. This functionality is called impersonation. To handle these requests for a client, the server must be given the authority to do so. The ability to call other servers while impersonating the original client is called delegation.

Trusted for Delegation

http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/iisbook/c09_trusted_for_delegation.mspx?mfr=true

 

Trusted for Delegation

To allow delegation of security credentials, you must also set the Computer is trusted for delegation option on each computer that will be used by the Web application.

To set the Computer is trusted for delegation option

1.

On the Tools menu, click Active Directory Users and Computers .

 

2.

Click the domain name node to expand it.

 

3.

Click the Computers node to expand it.

 

4.

Right-click on the computer in question.

 

5.

Select Properties.

 

6.

Select Computer is trusted for delegation .

Perform these steps on the Domain Controllers node also.

You can override this option on a per-user account basis. For example, it is considered bad security practice to enable account delegation for the Administrator account, because this account is a highly trusted account.

To override the Computer is trusted for delegation option

1.

On the Tools menu, click Active Directory Manager .

 

2.

Click the Users node to expand it.

 

3.

Right-click on the user account in question.

 

4.

Select Properties .

 

5.

Click the Account tab.

 

6.

Deselect Account is sensitive, do not delegate in the Account options.

http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/iisbook/c09_trusted_for_delegation.mspx?mfr=true

Enable computer and user accounts to be trusted for delegation

Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

Description

Determines which users can set the Trusted for Delegation setting on a user or computer object.

The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using a client's delegated credentials, as long as the client's account does not have the Account cannot be delegated account control flag set.

This user right is defined in the Default Domain Controller Group Policy object (GPO) and in the local security policy of workstations and servers.

The default groups that have this right on each platform are:

 

Workstations and Servers

(none)

 

Domain Controllers

Administrators

 

clip_image001[4] Note

Misuse of this privilege or of the Trusted for Delegation setting could make the network vulnerable to sophisticated attacks using Trojan horse programs that impersonate incoming clients and use their credentials to gain access to network resources.

 

Allow a computer to be trusted for delegation for specific services

 

 

To allow a computer to be trusted for delegation for specific services

1.    Open Active Directory Users and Computers.

2.    In the console tree, click Computers.
Where?

     DomainName/Computers

3.    In the details pane, right-click the computer you want to trust for delegation and then click Properties.

4.    On the Delegation tab, click Trust this computer for delegation to specified services only.

5.    Do one of the following:

     Confirm that Use Kerberos only is selected.

     Click Use any authentication protocol.

6.    Click Add and, in Add Services, click Users and Computers.

7.    In Enter the object names to select (examples), type the name of the user or computer that the computer will be trusted to delegate for, and then click OK.

8.    In Add Services, click the service or services that will be trusted for delegation and click OK. Repeat this step as necessary.

Notes

     To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.

     To open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.

     If you cannot see the Delegation tab, do one or both of the following:

     Register a Service Principal Name (SPN) for the computer account using the Setspn utility in the support tools that are on your CD. Delegation is only intended to be used by service accounts, which should have registered SPNs, as opposed to a regular user account which typically does not have SPNs.

     Raise the functional level of your domain to Windows Server 2003 . For more information, see Related Topics.

     Constrained delegation, delegation of authentication for only specified services, can only be enabled on a member of the Windows Server 2003 family.

 

 

 

Allow a user to be trusted for delegation

 

To allow a user to be trusted for delegation

     In a Windows Server 2003 domain

     In a Windows 2000 native domain

In a Windows Server 2003 domain

1.    Open Active Directory Users and Computers.

2.    In the console tree, click Users.
Where?

     DomainName/Users

3.    In the details pane, right-click the user you want to be trusted for delegation, and click Properties.

4.    Click the Delegation tab, select the Account is trusted for delegation check box, and then click OK.

Note

     If you cannot see the Delegation tab, do one or both of the following:

     Register a Service Principal Name (SPN) for the user account with the Setspn utility in the support tools on your CD. Delegation is only intended to be used by service accounts, which should have registered SPNs, as opposed to a regular user account which typically does not have SPNs.

     Raise the functional level of your domain to Windows Server 2003 . For more information, see Related Topics.

In a Windows 2000 native domain

1.    Open Active Directory Users and Computers.

2.    In the console tree, click Users.

3.    In the details pane, right-click the user you want to be trusted for delegation, and click Properties.

4.    Click the Accounts tab, select the Account is trusted for delegation check box, and then click OK.

Notes

     To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.

     To open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.

     For security reasons, do not allow servers on the enterprise network to perform delegation at will on behalf of any network connection.

 

Additional Issues:

 

Authentication delegation through Kerberos does not work in load-balanced architectures

http://support.microsoft.com/kb/325608

Symptoms

When a customer tries to use Kerberos to delegate authentication in a load-balanced architecture, Kerberos does not work and Internet Information Services (IIS) drops back to Windows NT Challenge/Response authentication. Because Windows NT Challenge/Response cannot be used for delegation, any applications or services that require delegation do not work.

 

Cause

The problem occurs because of a limitation in the Kerberos authentication protocol. The load-balanced cluster uses a virtual host name to identify itself, and this is the host name that the Kerberos ticket is issued for. When the ticket is presented to the actual server, the client that is directed to the ticket does not match its Server Principal Name (SPN). Additionally, in a Windows 2000 domain, the virtual host name cannot be set to Trusted For Delegation in the Active Directory.

When the server rejects the Kerberos ticket, the client renegotiates and tries to use Windows NT Challenge/Response authentication. Even if the client can authenticate through this method, delegation fails because it relies on Kerberos to function.

 

Workaround

One possible workaround requires that each computer in the load-balanced cluster be available to answer to its own fully qualified domain name (FQDN). The default page on each server must redirect the client directly to itself, thereby bypassing the virtual host name and instead providing a valid host name that a ticket can be issued for.

As a sample, the page can be something a simple as the following line:

<% response.redirect("http://my.unique.fqdn/default2.asp") %>

                                                            

Assuming that my.unique.fqdn is the unique FQDN of the computer and that Default2.asp is the actual default page that the client must be directed to, Kerberos can use this simple redirection to work in a load-balanced architecture.

As a caveat, the client can see or record (that is, bookmark) the unique name of the server that the client is directed to. This may seem to lead to outages if the client bookmarks that site and tries to return when either the physical server or the unique server name is unavailable.

 

More Information

A white paper is now available that discusses how to set up a network load-balanced environment for Kerberos authentication. This solution may take longer to implement because it includes changes to the Web server environment. However, The solution described in the white paper may be better than the solution described in the "Workaround" section.

Note If you use the solution that is described in the white paper, do not register a HOST/SPN when you are directed to. Register an HTTP SPN.

Visit the following Microsoft Web site to view the "Kerberos authentication for load balanced web sites" white paper:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/kerbnlb.mspx



For additional information about network load balancing, visit the following Microsoft Web site:

http://technet2.microsoft.com/WindowsServer/en/Library/a7bd4b54-2271-4cfb-9a97-3c150227b5111033.mspx



For more information about the Kerberos authentication protocol, see the following RFC Web site:

RFC 1510
http://www.ietf.org/rfc/rfc1510.txt

 

http://support.microsoft.com/kb/325608

 



No TrackBacks

TrackBack URL: http://www.skar.us/site/mt-tb.cgi/2912

Leave a comment








*
*

administrator
Author Bio          ★★★★★

Author Name:         administrator
Author Location:    India
Author Rank:          Writer
Author Status:        
The Green leave stands!!


*
*
*
*
****



*****



    Desktop
  • eBooks
  • Games
  • Softwares
  • Tools
  • Tweaks
  • Wallpapers
  • Warez
    PDA
  • Games
  • Tools
  • Wallpapers
    System Administration
  • dll Center
  • Scripts
  • Tools
  • .extensions database
  • Write-up
    more...
  • Download Database
  • Jobs
  • Lists
  • Polls
  • Glossary

01000011 01110010 01100001 01100011 01101011 01111010 01101000 01100001 01100011 01101011