Allow a computer to be trusted for delegation for specific services
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
To allow a computer to be trusted for delegation for specific services
Open Active Directory Users and Computers.
In the console tree, click Computers.
Where?
- DomainName/Computers
In the details pane, right-click the computer you want to trust for delegation and then click Properties.
On the Delegation tab, click Trust this computer for delegation to specified services only.
Do one of the following:
Confirm that Use Kerberos only is selected.
Click Use any authentication protocol.
Click Add and, in Add Services, click Users and Computers.
In Enter the object names to select (examples), type the name of the user or computer that the computer will be trusted to delegate for, and then click OK.
In Add Services, click the service or services that will be trusted for delegation and click OK. Repeat this step as necessary.
Notes
To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.
To open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.
If you cannot see the Delegation tab, do one or both of the following:
Register a Service Principal Name (SPN) for the computer account using the Setspn utility in the support tools that are on your CD. Delegation is only intended to be used by service accounts, which should have registered SPNs, as opposed to a regular user account which typically does not have SPNs.
Raise the functional level of your domain to Windows Server 2003 . For more information, see Related Topics.
Constrained delegation, delegation of authentication for only specified services, can only be enabled on a member of the Windows Server 2003 family.
Information about functional differences
- Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.
See Also
Concepts
Delegating authentication
Allow a computer to be trusted for delegation
Domain and forest functionality
Raise the domain functional level