Configuring Servers for Delegation (IIS 6.0)

  • Article

Applies To: Windows 7, Windows Server 2008, Windows Server 2008 R2, Windows Vista

How you configure delegation on Windows Server 2003 depends on whether you are supporting a network that has both Windows 2000 and Windows Server 2003 domain controllers. When both Windows 2000 and Windows Server 2003 domain controllers are supported, Windows Server 2003 must run in mixed mode. This limits you to using Windows 2000 delegation throughout the Active Directory forest.

Configuring Delegation in Windows 2000 Mixed Domains

On the domain controller for your Web server’s domain:

  1. Click Start, Administrative Tools, and then click Active Directory Users and Computers.

  2. Expand domain if necessary (for instance, iishost.microsoft.com) and expand the Computers folder.

  3. In the right pane will be the list of computers in your domain. Right-click the computer name for the Web server, and then click Properties.

  4. On the General tab, as shown in figure 8, make sure the Trust computer for delegation checkbox is selected.

  5. Press OK at the message box advising you this operation “should not be done indiscriminately.”

Figure 8: Configuring a server for delegation in a mixed mode domain

Important

Enable “Trust computer for delegation” on only the servers where it is required. It must be set on the Web server, but is not required for the remote file servers.

Configuring Delegation in Windows Server 2003 Domains

Configuring delegation in a Windows Server 2003 domain that is not supporting Windows 2000 domain controllers permits you to use protocol transition and constrained delegation.

To verify that your domain is in Windows 2003 Server mode

  1. Click Start, Administrative Tools, and then click Active Directory Users and Computers.

  2. Select the domain in the left pane.

  3. Click Action from the menu, and then select Raise Domain Functional Level

The Raise Domain Functional Level dialog box appears, as shown in Figure 9. If your domain is in Windows 2000 native or Windows 2000 mixed mode, you will need to raise it to Windows Server 2003 mode.

To raise the domain functional level

  1. Continuing the previous procedure, from the Raise Domain Functional dialog box, select Windows Server 2003 from the drop-down list, and then click Raise.

Important

This change is irreversible and may take 15 minutes to propagate. 

![](images/Dd296638.068bb6e4-9ef9-4864-92ed-f8933528ae2e(WS.10).gif)**Figure 9: Raising the domain function level**

  1. Click OK on the warning “This change affects the entire domain. After you raise the domain functional level it cannot be reversed.”

  2. Click OK on the message “The functional level was raised successfully.”

To configure delegation

  1. Click Start, Administrative Tools, and then click Active Directory Users and Computers.

  2. Expand domain if necessary (for instance, iishost.microsoft.com) and expand the Computers folder.

  3. The right pane of the Active Directory Users and Computers MMC tool lists the computers in your domain. Right-click the computer name for the Web server, select Properties, and then click the Delegation tab (figure 10).

    Figure 10: Default setting for computer properties Delegation tab

  4. By default, delegation is disabled. To enable protocol transition and constrained delegation, select Trust this computer for delegation to specified services only.

  5. In addition, you can specify if you would like delegation to work based on Kerberos or on any authentication protocol. This allows you to use pass-through authentication with Basic, NTLM, Digest, Kerberos, or any other IIS authentication provider.

  6. Click the Add button.

  7. In the Add Services dialog box, click Users or Computers, and then search for or type in the name of the file server that is to receive the users credentials from IIS (figure 11.)

    Figure 11: Identifying the file server to receive delegated credentials

  8. Click OK when done.

  9. In the ComputerName Properties dialog box, click the Add button. The Add Services dialog box appears.

  10. In the Add Services dialog box, click Users or Computers, and in the Select Users or Computers dialog box, search for or type in the name of the file server that is to receive the user’s credentials from IIS (figure 12).

    Figure 12: Using the Windows Server 2003 Select Users or Computers dialog to specify the file server

  11. Click OK when done. The Add Services dialog box, shown in figure 13, now lists the services that are registered as Service Principal Names (SPNs) with Kerberos for the selected computer.

    Figure 13: Windows Server 2003 Add Services dialog shows registered services

  12. From the Service Types list, select the HOST (the server service) and Common Internet File System (CIFS) services, and then click OK.

Important

Only add the services that you are sure you need to receive delegated credentials. Be sure to use service names on the file server, not the Web server.

Note

If you intend to access a remote SQL server using constrained delegation, you will need to add that service as well (for the SQL server machine). A common example of this is if you have an Active Server Page (ASP) that makes an ActiveX Data Object (ADO) connection to a SQL server. The SQL Server SPN is MSSQLSvc. 

![](images/Dd296638.2c879a17-ec07-4ace-a4ff-f63255584513(WS.10).gif)**Figure 14: Result of configuring Active Directory for protocol transition and constrained delegation**
  1. From the Delegation tab on the ComputerName Properties dialog box, verify that the new services were added, as shown in figure 14. Click OK. This completes the process of configuring Active Directory for protocol transition and constrained delegation from the IIS server to the file server.