Configuring Constrained Delegation for IIS

  • Article

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1

You can configure your server to allow clients to authenticate using any authentication protocol, and IIS will access content on the file server on behalf of the authenticated clients. For more information about constrained delegation, see UNC Authentication.

Important

You must be a domain administrator to perform the following procedure.

To configure constrained delegation for IIS

  1. From the Start menu, point to Administrative Tools, and then click Active Directory Users and Computers.

  2. In the Active Directory Users and Computers dialog box, ensure that your domain is in the Windows Sever 2003 mode by doing the following:

    • In the left pane, click your domain name.

    • From the Action menu, select Raise Domain Functional Level.

    • In the Raise Domain Functional Level dialog box, if your domain is in Windows 2000 native or Windows 2000 mixed mode, click Windows Server 2003 from the Select an available domain functional level list box, and then click Raise.

    Important

    After you change your domain level, you cannot reverse the action. The change can take up to 15 minutes to propagate. For more information about domain functional levels, see "Domain and forest functionality" in Help and Support Center for Windows Server 2003.

  3. In each of the two Raise Domain Functional Level dialog boxes that appear, click OK.

  4. Double-click the domain, and then click the Computers folder. A list of computers in the domain appears in the right pane.

  5. Right-click the Web server computer name, and then select Properties.

  6. Click the Delegation tab, and then select the Trust this computer for delegation to specified services only check box.

  7. Click the authentication type that you want to use, and then click Add.

  8. In the Add Services dialog box, click Users or Computers.

  9. In the Select Users or Computers dialog box, in the Enter the object names to select text box, search for or type the name of the file server that you want to use, and then click OK.

  10. In the Properties dialog box, click Add to add the HOST and CIFS services for the target file server. Add only the services that you are sure must present delegated credentials, and then click OK.