Re: Trust user for delegation: AD access denied
- From: "pher" <pierrot.heritier@xxxxxxxx>
- Date: Thu, 25 Oct 2007 11:33:07 +0200
Thank you, but I cannot change anything in the AD, although I am the Domain
Admin.
I always get error messages "Your security settings do not allow you to
specify whether or not this account is to be trusted for delegation".
I almost know by heart all technet articles about delegation, but I'm still
unable to trust computer or users for delegation.
I'm desperate
Pierrot
"Douglas E. Engert" <deengert@xxxxxxx> wrote in message
news:mailman.26.1192804737.4570.kerberos@xxxxxxxxxx
This sounds like what you are looking for:
-------- Original Message --------
Subject: Re: Negotiate on Windows with cross-realm trust AD and MIT
Kereros.
Date: Wed, 18 Jul 2007 09:04:12 -0500
From: Douglas E. Engert <deengert@xxxxxxx>
To: mikkel@xxxxxxxx
CC: Achim Grolms <kerberosml@xxxxxxxxxxxx>, modauthkerb-help
<modauthkerb-help@xxxxxxxxxxxxxxxxxxxxx>, kerberos <kerberos@xxxxxxx>
References: <1184231952.3026.34.camel@xxxxxxxxxxxxxx>
<f76c3n$1bb$1@xxxxxxxxxxxxx> <1184658106.3276.3.camel@xxxxxxxxxxxxxx>
<200707172125.18286.kerberosml@xxxxxxxxxxxx>
<1184745677.3078.5.camel@xxxxxxxxxxxxxx>
You asked how to do this is AD...
An AD admin set the TRUSTED_FOR_DELEGATION in UserAccountControl for the
server.
But not just any admin can set this, who can set the bit is controlled by
a group
control policy on the DC. In 2000 you had to edit a file. In 2003 there
is a way to
set it see below.
UserAccountControl definitions:
http://support.microsoft.com/kb/305144
Some pointers to trusted for delegation
http://support.microsoft.com/kb/250874
http://support.microsoft.com/kb/322143/EN-US/
http://technet2.microsoft.com/windowsserver/en/library/72612d01-622c-46b7-ab4a-69955d0687c81033.mspx?mfr=true
Enable computer and user accounts to be trusted for delegation
http://technet2.microsoft.com/windowsserver/en/library/a9fd0aa2-301c-42b3-a7b1-2595631c389f1033.mspx?mfr=true
pierrot.heritier@xxxxxxxx wrote:
Hello all
I'm trying to setup Kerberos on my Windows 2003 domain. I already had
to raise the domain functional level to Windows 2003 in order to get
the Delegation tab in the SQLservice account. Now, when I try to "trust
this user for delegation to any service
(Kerberos only)", I get an Access Denied from the Active Directoy,
although I'm logged in as domain admin.
I suppose I'm missing something somewhere, but what ?
Pierrot
________________________________________________
Kerberos mailing list Kerberos@xxxxxxx
https://mailman.mit.edu/mailman/listinfo/kerberos
--
Douglas E. Engert <DEEngert@xxxxxxx>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
.
- Follow-Ups:
- Re: Trust user for delegation: AD access denied
- From: Douglas E. Engert
- Re: Trust user for delegation: AD access denied
- References:
- Trust user for delegation: AD access denied
- From: pierrot . heritier
- Re: Trust user for delegation: AD access denied
- From: Douglas E. Engert
- Trust user for delegation: AD access denied
- Prev by Date: Win in bed with our medicine for your ***
- Next by Date: Re: Trust user for delegation: AD access denied
- Previous by thread: Re: Trust user for delegation: AD access denied
- Next by thread: Re: Trust user for delegation: AD access denied
- Index(es):
