It is not unusual for our group to receive a question regarding Constrained Delegation and Protocol Transition.
Even though the document (MS-SFU) does a great job in detailing the specification, not all implementers are familiar with the way in which Windows needs to be configured in order to be able to fulfill the requirements of the protocol. The reason is rather simple: many of the developers reading the documentation work on operating systems other than Windows.
Although I am sure I have seen some blogs and articles explaining this, I thought it could be a good idea to have these details in our blog since it could help implementers using the Open Specification set of documents.
I am not going to get into the details of the WHATs and WHYs because those details are covered by the document.
I will instead, make sure the HOWs for configuring a Windows system to work with these extensions are clear and complete.
How to configure the authenticating user account to be able to be delegated?
- Open dsa.msc
- Locate the user account that will be used to access the front end service and open its properties
- If the “Account is sensitive and cannot be delegated” checkbox is check, then UNCHECK it
- Then commit the change clicking OK
(In this example, LAB\nonsensi is set to be delegated and LAB\sensi is set NOT to be delegated)
When the checkbox is unchecked, the FORWARDABLE flag ([RFC4120] section 2.6) is set in the TGS-REQ.
The TGS-REP will provide the ticket with the FORWARDABLE flag only if the rest of the settings are correct. If not, the ticket will not have the FORWARDABLE flag on and the delegation will fail.
How to configure the middle tier?
- If you are running the service or application pool with a computer account (network service, local service or local system) then locate the computer account of the middle tier system and open its properties
- Then select the following options: The left side shows the settings for delegation without Protocol Transition, the right side shows the settings for delegation with Protocol Transition.
- If you are running the service or application pool with a user account then locate the user account of the middle tier system and open its properties
- Select the delegation tab
Is it working?
In this scenario, there is a webpage called test.hml hosted in Server1 that is served by an IIS server in Server3.
The applicaton pool in Server3 is running under the network service account.
The web page contains 2 pictures with different sets of local permissions.
User nonsensi has permissions on picture.jpg but does not have permissions on picture2.jpg
When accessing the webpage from a client computer using Internet Explorer, this is what he sees:
As we can see, the page has been served and the picture to which only sensi has permissions has not been displayed.
We can see that the user credentials were used to access the backend server:
And this was done because the ticket with nonsensi’s credentials was forwardable:
I truly hope that you find this article useful when working on implementing and testing your implementation with Windows.