A domain administrator can enable a server process to delegate client credentials by designating the account under which that process runs as trusted for delegation. If the account is a custom user account, say DOMA\Bob, the administrator for DOMA configures the Bob account this way. On the other hand, if the server process is configured to run as either Network Service or SYSTEM, the server is using the machine's credentials and therefore the administrator needs to grant delegation privileges to the computer account for the computer where that server process runs.

On Windows 2000, delegation is a binary choice. Either you allow a principal to delegate client credentials or you don't. To configure a computer account for delegation, bring up the Active Directory Users and Computers console and drill down into a domain's Computers folder. The delegation setting is on the General tab of the property page for the computer account. It's a checkbox with a big warning sign next to it (see WhatIsDelegation to learn why delegation can be dangerous). To configure a user account (like DOMA\Bob) just bring up it's property sheet and go to the Account tab. Scroll around until you find a checkbox that says "Account is trusted for delegation." While you're there, notice a checkbox that says "Account is sensitive and cannot be delegated." This is a client side setting that I discussed in WhatIsDelegation. Accounts that have this flag set will never be issued "forwardable" tickets. That is to say, the domain authority will never allow their credentials to be delegated, even by servers marked as trusted for delegation. It's too bad that this setting can't be applied to groups! As it stands, it's a really good idea to mark all highly privileged accounts (such as domain administrator accounts) with this flag to prevent the misuse of powerful credentials on the network.

On Windows Server 2003 things look a lot different. Instead of just a checkbox, there's now a full page of delegation options (I showed this in WhatIsDelegation). If you bring up a computer account in a Windows Server 2003 domain that's running in Windows Server 2003 native mode (as opposed to Windows 2000 mixed mode), you'll see a tab called Delegation that looks like the one I showed in WhatIsDelegation. There are three radio buttons: The first turns off delegation; the second enables the Windows 2000 form of delegation not constrained in space; and the third enables the extended form of delegation (Brown 2003) implemented by Windows Server 2003 domains. If you choose this third option, you need to add a list of service principal names (SPN) (WhatIsAServicePrincipalNameSPN) to which this server may delegate client credentials. User accounts don't have the Delegation tab unless they have been assigned at least one SPN, so be sure to add an SPN for your middle-tier server (HowToUseServicePrincipalNames) before trying to configure delegation for its user account.

Programmatically, using delegation is easy. Just impersonate your client (HowToImpersonateAUserGivenHerToken) and then you can authenticate with any of the servers in your "allowed-to-delegate-to" list. Just realize that those servers see the client's security information, not yours.

PortedBy HaroldHsu