|
|
By default, the Microsoft® Windows® 2000 operating system uses the Kerberos protocol for authentication. This How To describes how to configure Kerberos delegation, a powerful feature that allows a server, while impersonating a client, to access remote resources on behalf of the client.
| Important: |
Delegation is a very powerful feature and is unconstrained on Windows 2000. It should be used with caution. Computers that are configured to support delegation should be under controlled access to prevent misuse of this feature. Windows .NET Server will support a constrained delegation feature. |
When a server impersonates a client, Kerberos authentication generates a delegate-level token (capable of being used to respond to network authentication challenges from remote computers) if the following conditions are met:
The client account that is being impersonated is not marked as sensitive and cannot be delegated in Microsoft Active Directory® directory service.
The server process account (the user account under which the server process is running, or the computer account if the process is running under the local SYSTEM account) is marked as trusted for delegation in Active Directory.
|
|