Trust user for delegation: AD access denied

Douglas E. Engert deengert at anl.gov
Fri Oct 19 10:38:33 EDT 2007 

This sounds like what you are looking for:

> -------- Original Message --------
> Subject: Re: Negotiate on Windows with cross-realm trust AD and MIT Kereros.
> Date: Wed, 18 Jul 2007 09:04:12 -0500
> From: Douglas E. Engert <deengert at anl.gov>
> To: mikkel at linet.dk
> CC: Achim Grolms <kerberosml at grolmsnet.de>,  modauthkerb-help <modauthkerb-help at lists.sourceforge.net>, kerberos <kerberos at mit.edu>
> References: <1184231952.3026.34.camel at tux.lib.cbs.dk>	<f76c3n$1bb$1 at sea.gmane.org> <1184658106.3276.3.camel at tux.lib.cbs.dk>	<200707172125.18286.kerberosml at grolmsnet.de> <1184745677.3078.5.camel at tux.lib.cbs.dk>
> 
> You asked how to do this is AD...
> 
> An AD admin set the TRUSTED_FOR_DELEGATION in UserAccountControl for the server.
> But not just any admin can set this, who can set the bit is controlled by a group
> control policy on the DC. In 2000 you had to edit a file. In 2003 there is a way to
> set it see below.
> 
> 
> UserAccountControl definitions:
> http://support.microsoft.com/kb/305144
> 
> 
> Some pointers to trusted for delegation
> http://support.microsoft.com/kb/250874
> http://support.microsoft.com/kb/322143/EN-US/
> http://technet2.microsoft.com/windowsserver/en/library/72612d01-622c-46b7-ab4a-69955d0687c81033.mspx?mfr=true
> 
> 
> Enable computer and user accounts to be trusted for delegation
> http://technet2.microsoft.com/windowsserver/en/library/a9fd0aa2-301c-42b3-a7b1-2595631c389f1033.mspx?mfr=true
> 





pierrot.heritier at unifr.ch wrote:
> Hello all
> I'm trying to setup Kerberos on my Windows 2003 domain. I already had
> to raise the domain functional level to Windows 2003 in order to get
> the Delegation tab in the SQLservice account. 
> Now, when I try to "trust this user  for delegation to any service
> (Kerberos only)", I get an Access Denied from the Active Directoy,
> although I'm logged in as domain admin.
> I suppose I'm missing something somewhere, but what ?



> Pierrot
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list