Bob, Make no mistake - I'm really not a fan of allowing "Act as part of the operating system" or the Impersonation privilege.
That being said - from the work that I have done with other web developers needing access to SQL or application servers, constrained delegation is the best method that I have seen available - IF it is done correctly. As I suspect you know (and the reason for your asking) it' all about the level of comfort with the solution. However, just the very configuration sets up two things that I like very much. One - in the old(er)methods of delegation, Alice authNs to server Bob, which then impersonates Alice to SQL Server. Bob is then the authenticator to the destination, SQL Server - not Alice, which causes a bit of problem - Trust. Can you trust Server Bob, or the administrator, or who else might have control of server Bob? Maybe not. Auditing, too, becomes a problem. Model two involves, again Alice AuthN to Server Bob, Server Bob authNs to the SQL server as Alice. Server Bob, in and of itself has no permissions to the SQL server and we see that the audit logs show access by Alice - not Bob. Big mitigation in relation to authN. Alice is allowed, not Server Bob. Server Bob is still allowed to do some role based authN and authZ. Now, let's add the constrained delegation. Pretty much the same thing as model two - except we are allowed to limit the scope of servers, services, ports, etc. that the delegated request is able to talk to. There is no completely safe solution when we involve impersonation. However, Security is Risk Management. Without having a complete, holistic view of the entire solution and environment, I can't really tell you what your risk will be. What I can say is that if Plain Text is 100% Risk, and "Act As Operating System" is 30%, this is 10%. As to the AD perspective - not much at all that I'm aware of. As to the desirability, I'd prefer this method over any of the others that have been presented of late - short of two-factor. If you haven't seen this: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/ security/constdel.mspx Rick -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, August 09, 2005 3:07 PM To: [email protected] Subject: [ActiveDir] Kerberos Delegation We have a developer who wants us to allow delegation for a couple of SQL servers and their service accounts so he can do distributed queries across linked servers. This is new ground for us from an AD perspective that I have just started researching and I'd like to hear other's thoughts, policies etc. We are at 2003 functional level so from what I read, we can allow constrained delegation which is much better than un-constrained but most of the comments I come across indicate this isn't something to be taken lightly, has serious security ramifications, policies should be in place etc etc.. I can find a reasonable amount of information from the developers point-of-view, and I can see how to implement it technically (I think) but not a whole lot from the AD admin's perspective, especially as it pertains to the desirability of allowing it and how best to manage it if it is allowed. Any info greatly appreciated. Bob List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
