Delegation is the next step up from impersonation. Rather than just being able to access local resources on behalf of the client, delegation supports the accessing of remote resources on behalf of the client. Indeed, there's no limit to how many computers you can delegate your account to, so long as they are configured correctly.
Delegation is supported in Windows 2000 only, and only when the Kerberos authentication protocol is used, which requires Active Directory. The key to delegation is the concept of delegatable or forwardable tickets. Refer to Chapter 14 for more information about Kerberos and tickets.
The following three sections describe the steps and settings required to support delegation.
The Account Is Sensitive And Cannot Be Delegated option on each user account in question must not be checked. This is a property of the user's account object in Active Directory, as shown in Figure 3-12. You can verify this setting by performing the following steps:
Figure 3-12. Verifying that the user's account can be delegated.
If you're running a service or application under an account other than LocalSystem, you need to verify that the account is permitted to act as a delegate, as shown in Figure 3-13:
Figure 3-13. Verifying that an account can be used to delegate other credentials.
NOTE
You do not need to perform this step if the service is running as LocalSystembecause this account automatically supports the trusted for delegation capability. You can verify the account under which the service is running in the Services tool.
You also need to make sure that all computers used within the distributed application are trusted for delegation. For example, if you want to delegate credentials across four servers running Windows 2000, each of these must be configured as trusted for delegation. To configure a computer as trusted for delegation, do the following:
CAUTION
Delegation is a very powerful feature and is disabled by default. Computers and user accounts that are trusted for delegation should be under controlled access to prevent the misusing of delegation to make network connections on behalf of users or computers.
In summary, delegation works in a distributed application only if the following is true:
Delegation will fail if any of these aspects are not set correctly. Figure 3-14 outlines the required settings.
Figure 3-14. Settings required for Kerberos delegation to work.
NOTE
Don't confuse the term delegationas it relates to delegation of authentication with administrative delegation in Active Directory. The former is what we've been discussing; the latter relates to controlled delegation of control over users, groups, policy, and so forth. Administrative delegation disseminates the administrator's workload without granting dangerous privileges to delegates. There are two wizards available to make delegation easier: the Delegate Administration wizard in the Active Directory Users And Computers tool, and the Delegation Of Control wizard in the Active Directory Sites And Services tool.