Delegation

Previous page
Table of content
Next page
[Previous] [Next]

Delegation is the next step up from impersonation. Rather than just being able to access local resources on behalf of the client, delegation supports the accessing of remote resources on behalf of the client. Indeed, there's no limit to how many computers you can delegate your account to, so long as they are configured correctly.

Delegation is supported in Windows 2000 only, and only when the Kerberos authentication protocol is used, which requires Active Directory. The key to delegation is the concept of delegatable or forwardable tickets. Refer to Chapter 14 for more information about Kerberos and tickets.

Supporting Delegation

The following three sections describe the steps and settings required to support delegation.

Step 1: Verify that the user's account can be delegated

The Account Is Sensitive And Cannot Be Delegated option on each user account in question must not be checked. This is a property of the user's account object in Active Directory, as shown in Figure 3-12. You can verify this setting by performing the following steps:

  1. Open the Active Directory Users And Groups tool.

  2. Right-click the User object in question.

  3. Choose Properties from the context menu.

  4. Click the Account tab.

  5. Scroll down until you see Account Is Sensitive And Cannot Be Delegated in the Account Options box.

  6. Make sure the option is not checked.

    7. Figure 3-12. Verifying that the user's account can be delegated.

Step 2: Verify that the application account can act as a delegate

If you're running a service or application under an account other than LocalSystem, you need to verify that the account is permitted to act as a delegate, as shown in Figure 3-13:

  1. Open the Active Directory Users And Groups tool.

  2. Right-click the User object in question.

  3. Choose Properties from the context menu.

  4. Click the Account tab.

  5. Scroll down until you see Account Is Trusted For Delegation in the Account Options box.

  6. Make sure the option is checked.

    7. Figure 3-13. Verifying that an account can be used to delegate other credentials.

NOTE
You do not need to perform this step if the service is running as LocalSystembecause this account automatically supports the trusted for delegation capability. You can verify the account under which the service is running in the Services tool.

Step 3: Verify that all computers are trusted for delegation

You also need to make sure that all computers used within the distributed application are trusted for delegation. For example, if you want to delegate credentials across four servers running Windows 2000, each of these must be configured as trusted for delegation. To configure a computer as trusted for delegation, do the following:

  1. Open the Active Directory Users And Computers tool.

  2. Expand the Domain Name node.

  3. Expand the Computers node.

  4. Right-click the computer you want to configure.

  5. Choose Properties from the context menu.

  6. Check the Computer Is Trusted For Delegation option.

CAUTION
Delegation is a very powerful feature and is disabled by default. Computers and user accounts that are trusted for delegation should be under controlled access to prevent the misusing of delegation to make network connections on behalf of users or computers.

In summary, delegation works in a distributed application only if the following is true:

  • Active Directory and Windows 2000 are being used.

  • All computer and user accounts are in the same domain or in a trusted domain.

  • The user account being delegated is not marked as sensitive.

  • The account under which any services or processes that handle the user's requests are running are configured as trusted to delegate the user's credentials.

  • All computers involved in the distributed application must be marked as trusted for delegation, except the first and last computers in the chain.

Delegation will fail if any of these aspects are not set correctly. Figure 3-14 outlines the required settings.

click to view at full size.

Figure 3-14. Settings required for Kerberos delegation to work.

NOTE
Don't confuse the term delegationas it relates to delegation of authentication with administrative delegation in Active Directory. The former is what we've been discussing; the latter relates to controlled delegation of control over users, groups, policy, and so forth. Administrative delegation disseminates the administrator's workload without granting dangerous privileges to delegates. There are two wizards available to make delegation easier: the Delegate Administration wizard in the Active Directory Users And Computers tool, and the Delegation Of Control wizard in the Active Directory Sites And Services tool.


Previous page
Table of content
Next page
Designing Secure Web-Based Applications for Microsoft Windows 2000 with CDROM
Designing Secure Web-Based Applications for Microsoft Windows 2000 with CDROM
ISBN: N/A
EAN: N/A
Year: 1999
Pages: 138
BUY ON AMAZON
The .NET Developers Guide to Directory Services Programming
Building Web Applications with UML (2nd Edition)
The Complete Cisco VPN Configuration Guide
Quantitative Methods in Project Management
Comparing, Designing, and Deploying VPNs
The Oracle Hackers Handbook: Hacking and Defending Oracle
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy