Re: Trust user for delegation: AD access denied

Fri, 19 Oct 2007 07:42:59 -0700 

This sounds like what you are looking for:

> -------- Original Message --------
> Subject: Re: Negotiate on Windows with cross-realm trust AD and MIT Kereros.
> Date: Wed, 18 Jul 2007 09:04:12 -0500
> From: Douglas E. Engert <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> CC: Achim Grolms <[EMAIL PROTECTED]>,  modauthkerb-help <[EMAIL PROTECTED]>, 
> kerberos <[email protected]>
> References: <[EMAIL PROTECTED]>       <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> 
> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
> 
> You asked how to do this is AD...
> 
> An AD admin set the TRUSTED_FOR_DELEGATION in UserAccountControl for the 
> server.
> But not just any admin can set this, who can set the bit is controlled by a 
> group
> control policy on the DC. In 2000 you had to edit a file. In 2003 there is a 
> way to
> set it see below.
> 
> 
> UserAccountControl definitions:
> http://support.microsoft.com/kb/305144
> 
> 
> Some pointers to trusted for delegation
> http://support.microsoft.com/kb/250874
> http://support.microsoft.com/kb/322143/EN-US/
> http://technet2.microsoft.com/windowsserver/en/library/72612d01-622c-46b7-ab4a-69955d0687c81033.mspx?mfr=true
> 
> 
> Enable computer and user accounts to be trusted for delegation
> http://technet2.microsoft.com/windowsserver/en/library/a9fd0aa2-301c-42b3-a7b1-2595631c389f1033.mspx?mfr=true
> 





[EMAIL PROTECTED] wrote:
> Hello all
> I'm trying to setup Kerberos on my Windows 2003 domain. I already had
> to raise the domain functional level to Windows 2003 in order to get
> the Delegation tab in the SQLservice account. 
> Now, when I try to "trust this user  for delegation to any service
> (Kerberos only)", I get an Access Denied from the Active Directoy,
> although I'm logged in as domain admin.
> I suppose I'm missing something somewhere, but what ?



> Pierrot
> ________________________________________________
> Kerberos mailing list           [email protected]
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <[EMAIL PROTECTED]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
________________________________________________
Kerberos mailing list           [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to