Enable Trust computer for delegation for Web servers

Active Server Pages (ASP) pages running on a Web server can set and reset passwords for users stored in the Active Directory directory service only if the Web server is trusted for delegation.

Solution

To enable this option, go to the property sheet for the computer account in Active Directory and make sure the Trust computer for delegation check box is selected.

To set the Trust computer for delegation option

1. Click Start, point to Program Files, point to Administrative Tools, and then click Active Directory Users and Computers.
2. Navigate to the computer account that needs to be set, for example, Active Directory Users and Computers/<domain name>/Computers/<computer name>.
3. Double-click the computer name in the list on the right pane. On the Account tab, select the Account is trusted for delegation check box, and then click OK.

You may need to reboot the associated Web server in order for this setting to take effect.

Caution

When a user authenticates to a server (the front-end server) that is trusted for delegation, the server can access the SQL database on the other servers as the user. Because the server that is trusted for delegation has the user's ticket-granting ticket (TGT), it can authenticate to any service on the network. As a result, this setting is not a secure setting. In the Windows Server 2003 family, you can control the services that can impersonate the user by using constrained delegation.

Copyright © 2005 Microsoft Corporation.
All rights reserved.