Allow a user to be trusted for delegation for specific services
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
To allow a user to be trusted for delegation for specific services
Open Active Directory Users and Computers.
In the console tree, click Users.
Right-click the user you want to be trusted for delegation, and click Properties.
Click the Delegation tab and click Trust this user for delegation to specified services only.
Select Use Kerberos only (default) or select Use any authentication protocol, where the initial client-to-server authentication protocol can be any protocol supported by the Windows Server 2003 local security authority. Typically, this could be NTLM, SSL client certificate mapping or Digest.
Click Add and, in Add Services click Users and Computers.
In Select Users or Computers, enter the name of the user or computer that the user will be trusted to delegate for.
In Add Services, select the service or services that will be trusted for delegation and click OK. Repeat as necessary.
To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.
To open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.
If you cannot see the Delegation tab, do one or both of the following:
Register a Service Principal Name (SPN) for the user account with the Setspn utility in the support tools on your CD. Delegation is only intended to be used by service accounts, which should have registered SPNs, as opposed to a regular user account which typically does not have SPNs.
Raise the functional level of your domain to Windows Server 2003 . For more information, see Related Topics.
Constrained delegation, which is trusting a computer for delegation of specified services, can only be enabled for a computer in a Windows Server 2003 domain.
Information about functional differences
- Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. For more information, see Viewing Help on the Web.