Do you have details on the accounts that will be delegated? With constrained delegation, it is pretty straightforward to limit which accounts can delegate to which other services, but you might want to be very careful about limiting who gets delegated.
One really good idea is marking all the domain admin accounts as "sensitive and cannot be delegated" for example. From there, you might also consider adding additional accounts. >From a business perspective, a lot of times implementing a delegation scenario is much preferable to the alternatives. Here, the dev would probably have to hit the other SQL boxes with a service account and would lose the ability to enforce the same security model in place with SQL which is not good. My $0.02, Joe K. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, August 09, 2005 3:07 PM To: [email protected] Subject: [ActiveDir] Kerberos Delegation We have a developer who wants us to allow delegation for a couple of SQL servers and their service accounts so he can do distributed queries across linked servers. This is new ground for us from an AD perspective that I have just started researching and I'd like to hear other's thoughts, policies etc. We are at 2003 functional level so from what I read, we can allow constrained delegation which is much better than un-constrained but most of the comments I come across indicate this isn't something to be taken lightly, has serious security ramifications, policies should be in place etc etc.. I can find a reasonable amount of information from the developers point-of-view, and I can see how to implement it technically (I think) but not a whole lot from the AD admin's perspective, especially as it pertains to the desirability of allowing it and how best to manage it if it is allowed. Any info greatly appreciated. Bob List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited. List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
