Services for User to Self Configuration

Applies To: Windows Server 2008

Services for User to Self (S4USelf) provides the ability for a service to request a Kerberos ticket on behalf of a user account.


Event ID Source Message



The account %1 from domain %2 is attempting to use S4USelf for the target client %3, but is not allowed to perform group expansion on this client's user object. It may be necessary to adjust the ACL on the TokenGroupsGlobalAndUniversal attribute on the target client's user object to allow S4USelf to function correctly. This can also be accomplished by adding %1 to the Windows Authorization Access Group.

Kerberos Key Distribution Center

Core Security