Constrained Delegation for UNC File Content

  • Article

Applies To: Windows Server 2003, Windows Server 2003 with SP1

Delegation is the act of allowing a service to impersonate a user account or computer account in order to access resources throughout the network. When a service is trusted for delegation, that service can impersonate a user to use other network services. Constrained delegation is a new option for Windows Server 2003, and it is recommended that you use it with a Windows Server 2003 domain. With this option, you can specify the Service Principal Names (SPNs) to which an account can delegate. With this option, a service can be trusted for delegation, but the domain administrator can limit that trust to a select group of explicitly specified services. By only allowing delegation to specific services, you can control the specific network resources the service or computer can use.

Constrained delegation is particularly useful in scenarios where a site that requires authentication — that is, a site that does not allow anonymous access — contains content that is housed on a remote UNC file server. With constrained delegation, you can enable Windows Integrated authentication, which can use NTLM authentication or send credentials across the network as a Kerberos-based token.

If you do not use constrained delegation, but you enable Windows Integrated authentication and NTLM, the token that the Web server obtains from the Windows security infrastructure does not have sufficient permissions to access another computer, such as your file server. However, with constrained delegation and Windows Integrated authentication, the token received by the Web server from the Windows security infrastructure is a Kerberos-based token with permission to access other computers, including the file server. Essentially, constrained delegation allows an NTLM-based token to be upgraded to a Kerberos-based token. Be aware, however, that Kerberos-based authentication can degrade performance because each access check occurs on the file server.

For more information about constrained delegation, see Managing a Secure IIS 6.0 Solution.

When you set up a UNC-based virtual directory and specify a user name and password for that directory, you might receive an error message when you attempt to access the directory by using IIS Manager. This error occurs because IIS Manager sends the current Windows user credentials when it accesses the virtual directory. The credentials of the current Windows user might not be the same as those you specified for the UNC-based virtual directory. However, if you access your Web server over the Internet by using IIS Manager on a remote computer, the contents of the virtual directory will be displayed without error. Because using IIS Manager is not a reliable method of verifying whether your customers can access the content stored on the remote computer, you should test your virtual directories by making requests with a Web browser.