Sign in
Microsoft.com
 
Microsoft
 
 
 

locked
Constrained Delegation (using Kerberos) for a Service to be trusted for Delegation RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    In the POC we are trying, a Service impersonates a user in order to be able to access a file on file system.

    The POC is from link http://code.msdn.microsoft.com/windowsdesktop/CppWindowsService-cacf4948.

    We have been trying constrained delegation as per the link http://msdn.microsoft.com/en-us/library/ff649317.aspx

    We were able to achieve impersonation if the service is trusted for delegation in the domain controller and the service runs under “Local System” account. Trying to run the service as WinAD user isn't able to impersonate.

    We have followed thesteps mentioned in the link https://technet.microsoft.com/en-us/library/cc757194%28v=ws.10%29.aspx.

    Some of the things we came across about the configuration are:

    • The Domain Functional level to be more than Windows Server 2003 

    http://technet.microsoft.com/en-us/library/cc753104.aspx. Also https://technet.microsoft.com/en-us/library/ee675779.aspx


    • Providing SeTcbPrivilege
    • To set SPN http://technet.microsoft.com/en-us/library/cc731241%28WS.10%29.aspx

    • Making the user part of Pre
           Windows 2000 Compatible       http://support.microsoft.com/kb/325363

    • Moved by Shu 2017 Tuesday, February 3, 2015 6:51 AM
    Friday, January 30, 2015 10:13 AM

Answers

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote
    Do you have any question here?
    Monday, February 2, 2015 8:14 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Might try them over here.

    https://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/home?category=windowsdesktopdev

     

     

     

    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows]

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    • Proposed as answer by Mike Laughlin Thursday, February 19, 2015 1:37 PM
    • Marked as answer by Just Karl Wednesday, March 4, 2015 9:48 PM
    Wednesday, February 4, 2015 3:54 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Yes.

    The mentioned POC works  if service runs under “Local System” account. Trying to run the service as WinAD user isn't able to impersonate.

    So we need to know what we are missing due to which WinAD user is not able to impersonate?

    Friday, February 13, 2015 8:19 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Can you please respond to this question?
    Thursday, February 19, 2015 6:00 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    Can you please respond to this question?

    Your thread has been moved to the 'Where is the Forum For...?' forum, where we suggest appropriate forums to post your question in.

    I suggest following Dave's suggestion and posting in the forum he linked to.

    Don't retire TechNet! - (Don't give up yet - 13,225+ strong and growing)

    Thursday, February 19, 2015 1:37 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Yes.

    The mentioned POC works  if service runs under “Local System” account. Trying to run the service as WinAD user isn't able to impersonate.

    So we need to know what we are missing due to which WinAD user is not able to impersonate?Can you

    please respond to this question asap?

    Sunday, February 22, 2015 5:34 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Yes.

    The mentioned POC works  if service runs under “Local System” account. Trying to run the service as WinAD user isn't able to impersonate.

    So we need to know what we are missing due to which WinAD user is not able to impersonate?Can you

    please respond to this question asap?

    Please see my previous response. You will need to repost your question in an appropriate forum.

    Don't retire TechNet! - (Don't give up yet - 13,225+ strong and growing)

    Sunday, February 22, 2015 6:29 PM