locked
Active directory - Users account RRS feed

  • Question

  • "Account is sensitive and cannot be delegated" 

    Though this option is chosen for a user account, the same user can be delegated....

    What exactly does this option do? (Windows server 2008- AD) 

    Wednesday, June 26, 2013 6:47 AM

Answers

  • I've seen this used when dealing with the "double jump" integrated authentication. For instance, a user logs into windows and uses IE to navigate to a web server in the same domain, which is set to athenticate the user with integrated authentication. Then the web server connects to a SQL Server on a separate computer, using once again integrated authentication. If you want the user's identity to flow all the way into the back end server, you cannot set the user account as "sensitive and cannot be delegated". If you do, it will be blocked at the web server and won't flow into the SQL server (since it would be "delegated" to the web server).

    Thursday, June 27, 2013 5:32 AM