none
Constrained Delegation (using Kerberos) for a Service to be trusted for Delegation

    Question

  • In the POC we are trying, a Service impersonates a user in order to be able to access a file on file system.

    The POC is from link http://code.msdn.microsoft.com/windowsdesktop/CppWindowsService-cacf4948.

    We have been trying constrained delegation as per the link http://msdn.microsoft.com/en-us/library/ff649317.aspx

    We were able to achieve impersonation if the service is trusted for delegation in the domain controller and the service runs under “Local System” account. Trying to run the service as WinAD user isn't able to impersonate.

    We have followed thesteps mentioned in the link https://technet.microsoft.com/en-us/library/cc757194%28v=ws.10%29.aspx.

    Some of the things we came across about the configuration are:

    • The Domain Functional level to be more than Windows Server 2003 

    http://technet.microsoft.com/en-us/library/cc753104.aspx. Also https://technet.microsoft.com/en-us/library/ee675779.aspx


    • Providing SeTcbPrivilege
    • To set SPN http://technet.microsoft.com/en-us/library/cc731241%28WS.10%29.aspx

    • Making the user part of Pre
           Windows 2000 Compatible
      http://support.microsoft.com/kb/325363

    • Moved by Shu 2017 Tuesday, February 3, 2015 6:51 AM
    Friday, January 30, 2015 10:13 AM

Answers

All replies