Configuring constrained delegation

  • Article

Configuring constrained delegation

If you plan to store all of your resource files, such as virtual hard disk (.vhd) files and ISO image (.iso) files, on the computer running the Virtual Server service (Vssrvc.exe), you do not need to take additional configuration steps to begin using Virtual Server. If you store your resource files on a different computer, however, you must take additional steps to allow users to access the resource files, as follows:

  • The Administration Website (VSWebApp.exe) is installed on a different computer than the Virtual Server service (Vssrvc.exe). In this case, to allow users to access files on a remote computer, you must configure constrained delegation on the domain controller, as described later in this topic. This allows the credentials of the user who is logged on to the Administration Website to be passed to the computer that is storing the resource files, so that the user can access the files. In this scenario, you must use Integrated Windows authentication. Delegation does not work with Basic authentication.
  • The Administration Website and the Virtual Server service are installed on the same computer. In this case, you must still configure constrained delegation. However, it is only necessary to configure constrained delegation between the computer storing the resource files and the computer running the Virtual Server service (Step 3 later in this topic). Step 2, configuring constrained delegation between the Web server and the computer running Virtual Server service, is not necessary in this scenario.

In addition, to use Virtual Server Manager search paths, you must also either configure constrained delegation or enable Basic authentication. For more information about Virtual Server Manager search paths, see Configuring Virtual Server Manager search paths.

Important

If you enable Basic authentication, we strongly recommend that you also implement Secure Sockets Layer (SSL) security for the Administration Website. This is because with Basic authentication, passwords are transmitted in plaintext. You configure SSL for the Administration Website from within IIS. For instructions, see the documentation for IIS. Constrained delegation is not supported when using Microsoft Windows XP Professional as your host operating system. In this case, you cannot access files on a remote resource, so you should store files locally.

The following figure illustrates how constrained delegation works when the Virtual Server service, the Administration Website, and the resources files are all located on different servers.

Constrained delegation and Virtual Server

The remainder of this topic gives instructions on configuring constrained delegation for Virtual Server.

Note

The Windows XP operating system does not support constrained delegation. For more information about choosing an installation option for Virtual Server, see Install Virtual Server. Step two is only necessary if the Administration Website (VSWebApp.exe) is installed on a different computer than the Virtual Server service (Vssrvc.exe).

Step 1: Verify prerequisites

Before you begin configuring constrained delegation, make sure that you have performed the following tasks:

  • Complete the installation of Virtual Server, as described in Install Virtual Server.

    Important

    For constrained delegation to work, you must perform a custom installation and select the installation option to run the Administration Website as the Local System account. If you do not, you will have to uninstall and reinstall Virtual Server before you can configure constrained delegation.

  • Verify that the domain controller is configured for a Microsoft Windows Server 2003 native domain. If necessary, raise the functional level of the domain from Microsoft Windows 2000 (the default) to Windows Server 2003. For instructions, see "Raise the domain functional level" in Help and Support Center for the Windows Server 2003 operating systems.

    Warning

    If you have or will have any domain controllers running Microsoft Windows NT 4.0 and earlier or Windows 2000 operating systems, then do not raise the domain functional level to the Windows Server 2003 operating systems. Once the domain functional level is set to Windows Server 2003, it cannot be changed back to Windows 2000 mixed or Windows 2000 native.

Step 2: Allow the Web server to delegate a user's credentials to the Virtual Server service

Follow these instructions to allow the Web server to delegate the credentials of the logged-on user to the computer running the Virtual Server service.

Important

Only perform this step if the Administration Website (VSWebApp.exe) is installed on a different computer than the Virtual Server service (Vssrvc.exe).

  1. On the domain controller, open Active Directory Users and Computers.
  2. In the console tree, under DomainName, click Computers.
  3. Right-click the Web server, and then click Properties.
  4. On the Delegation tab, click Trust this computer for delegation to specified services only.
  5. Click Use any authentication protocol.
  6. Click Add, and then click Users and Computers.
  7. Type the name of the computer running the Virtual Server service, and then click OK.
  8. From the list of available services, hold down the CTRL key while clicking cifs and vssrvc, and then click OK.
  9. Repeat as necessary for additional computers running the Virtual Server service.

Step 3: Allow the Virtual Server service to delegate a user's credentials to another computer

Follow these instructions to allow Virtual Server to delegate the credentials of the logged-on user to another computer. This allows users to access resource files stored on a computer other than the one running the Virtual Server service.

  1. On the domain controller, open Active Directory Users and Computers.
  2. In the console tree, under DomainName, click Computers.
  3. Right-click the computer running the Virtual Server service, and then click Properties.
  4. On the Delegation tab, click Trust this computer for delegation to specified services only.
  5. Click either Use any authentication protocol or Use Kerberos only.
  6. Click Add, and then click Users and Computers.
  7. Type the name of the computer storing your resource files, and then click OK.
  8. From the list of available services, select cifs, and then click OK.