Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

 

patterns & practices Developer Center

How To: Implement Kerberos Delegation for Windows 2000

J.D. Meier, Alex Mackman, Michael Dunner, and Srinath Vasireddy
Microsoft Corporation

Published: November 2002

Last Revised: January 2006

Applies to:

  • Microsoft® Windows® 2000 Server

See the "patterns & practices Security Guidance for Applications Index" for links to additional security resources.

See the Landing Page for a starting point and complete overview of Building Secure ASP.NET Applications.

Summary: Kerberos delegation allows you to flow an authenticated identity across multiple physical tiers of an application to support downstream authentication and authorization. This How To shows you the configuration steps required to make this work. (3 printed pages)

Contents

Notes
Summary of Steps Step 1. Confirm That the Client Account Is Configured for Delegation Step 2. Confirm That the Server Process Account Is Trusted for Delegation
Additional Resources

By default, the Microsoft Windows 2000 operating system uses the Kerberos protocol for authentication. This How To describes how to configure Kerberos delegation, a powerful feature that allows a server, while impersonating a client, to access remote resources on behalf of the client.

Important   Delegation is a very powerful feature and is unconstrained on Windows 2000. It should be used with caution. Computers that are configured to support delegation should be under controlled access to prevent misuse of this feature.

Windows Server 2003 will support a constrained delegation feature.

When a server impersonates a client, Kerberos authentication generates a delegate-level token (capable of being used to respond to network authentication challenges from remote computers) if the following conditions are met:

  1. The client account that is being impersonated is not marked as sensitive and cannot be delegated in Microsoft Active Directory® directory service.
  2. The server process account (the user account under which the server process is running, or the computer account if the process is running under the local SYSTEM account) is marked as trusted for delegation in Active Directory.

Notes

  • For Kerberos delegation to be successful, all computers (clients and servers) must be part of a single Active Directory forest.

  • If you impersonate within serviced components and want to flow the callers context through an Enterprise Services application, the application server that hosts Enterprise Services must have Hotfix Rollup 18.1 or greater.

    For more information, see INFO: Availability of Windows 2000 Post-Service Pack 2 COM+ Hotfix Rollup Package 18.1.

Summary of Steps

This How To includes the following steps:

  • Step 1. Confirm That the Client Account Is Configured for Delegation
  • Step 2. Confirm That the Server Process Account Is Trusted for Delegation

Step 1. Confirm That the Client Account Is Configured for Delegation

This procedure ensures that the client account is capable of being delegated.

To confirm that the client account is configured for delegation

  1. Log onto the domain controller using an administrator account.
  2. On the taskbar, click the Start button, point to Programs, point to AdministrativeTools, and then click ActiveDirectory Users and Computers.
  3. Under your domain, click the Users folder.
  4. Right-click the user account that is to be delegated, and then click Properties.
  5. Click the Account tab.
  6. Within the Accountoptions list, make sure Account is sensitive and cannot be delegated is not selected.
  7. Click OK to close the Properties dialog box.

Step 2. Confirm That the Server Process Account Is Trusted for Delegation

This procedure ensures that the account used to run the server process (the process that performs impersonation) is allowed to delegate client accounts. You must configure the user account under which the server process runs, or if the process runs under the local SYSTEM account, you must configure the computer account. Perform the appropriate procedure that follows, depending on if your server process runs under a Windows account or a local SYSTEM account.

To confirm that the server process account is trusted for delegation if the server process runs under a Windows user account

  1. Within the Users folder of Active Directory Users and Computers, right-click the user account that is used to run the server process that will impersonate the client, and then click Properties.
  2. Click the Account tab.
  3. Within the Account options list, click Account is trusted for delegation.

To confirm that the server process account is trusted for delegation if the server process runs under the local SYSTEM account

  1. Right-click the Computers folder within Active Directory Users and Computers, and then click Properties.
  2. Right-click the server computer (where the process that impersonates the client will be running), and then click Properties.
  3. On the General page, click Trust computer for delegation.

Additional Resources

patterns & practices Developer Center

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

© Microsoft Corporation. All rights reserved.