Why doesn't delegation work over the network?

re: Why doesn't delegation work over the network?

Pavel Lebedinsky — Wed, 30 Jun 2004 05:03:00 GMT

"Programming Windows Security" by Keith Brown has an interesting discussion of how delegation could have been implemented in a Win2K/Kerberos environment. The problem with the existing Win2K implementation is that you have no control over which services the clients can be delegated to - once the server is marked as trusted for delegation, it can do anything it wants with the client credentials. This has been addressed in Windows 2003 with its constrained delegation feature.

By the way, LocalService doesn't have access to machine credentials. To be able to use delegation (or even authenticate to other machines in a domain), a service has to run as LocalSystem, NetworkService or a domain account.

re: Why doesn't delegation work over the network?

Larry Osterman — Wed, 30 Jun 2004 16:53:00 GMT

Doh, of course you're right Pavel about LocalService - I added that to the list of accounts without thinking about it. LocalService has no access to network resources, by design :)

Roadmap To Delegation

K. Scott Allen — Fri, 25 Feb 2005 06:51:00 GMT

When people ask for security holes as features: Stealing passwords

The Old New Thing — Wed, 04 May 2005 16:03:55 GMT

You can't get the user's password. You'd think that'd be obvious.

NT Networks, Delegation, Kerberos and Impersonation.

Miscellaneous Debris — Wed, 04 May 2005 20:38:39 GMT