Thank you, but I cannot change anything in the AD, although I am the Domain Admin. I always get error messages "Your security settings do not allow you to specify whether or not this account is to be trusted for delegation".
I almost know by heart all technet articles about delegation, but I'm still unable to trust computer or users for delegation. I'm desperate Pierrot "Douglas E. Engert" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > This sounds like what you are looking for: > >> -------- Original Message -------- >> Subject: Re: Negotiate on Windows with cross-realm trust AD and MIT >> Kereros. >> Date: Wed, 18 Jul 2007 09:04:12 -0500 >> From: Douglas E. Engert <[EMAIL PROTECTED]> >> To: [EMAIL PROTECTED] >> CC: Achim Grolms <[EMAIL PROTECTED]>, modauthkerb-help >> <[EMAIL PROTECTED]>, kerberos <[email protected]> >> References: <[EMAIL PROTECTED]> >> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> >> <[EMAIL PROTECTED]> >> <[EMAIL PROTECTED]> >> >> You asked how to do this is AD... >> >> An AD admin set the TRUSTED_FOR_DELEGATION in UserAccountControl for the >> server. >> But not just any admin can set this, who can set the bit is controlled by >> a group >> control policy on the DC. In 2000 you had to edit a file. In 2003 there >> is a way to >> set it see below. >> >> >> UserAccountControl definitions: >> http://support.microsoft.com/kb/305144 >> >> >> Some pointers to trusted for delegation >> http://support.microsoft.com/kb/250874 >> http://support.microsoft.com/kb/322143/EN-US/ >> http://technet2.microsoft.com/windowsserver/en/library/72612d01-622c-46b7-ab4a-69955d0687c81033.mspx?mfr=true >> >> >> Enable computer and user accounts to be trusted for delegation >> http://technet2.microsoft.com/windowsserver/en/library/a9fd0aa2-301c-42b3-a7b1-2595631c389f1033.mspx?mfr=true >> > > > > > > [EMAIL PROTECTED] wrote: >> Hello all >> I'm trying to setup Kerberos on my Windows 2003 domain. I already had >> to raise the domain functional level to Windows 2003 in order to get >> the Delegation tab in the SQLservice account. Now, when I try to "trust >> this user for delegation to any service >> (Kerberos only)", I get an Access Denied from the Active Directoy, >> although I'm logged in as domain admin. >> I suppose I'm missing something somewhere, but what ? > > > >> Pierrot >> ________________________________________________ >> Kerberos mailing list [email protected] >> https://mailman.mit.edu/mailman/listinfo/kerberos >> >> > > -- > > Douglas E. Engert <[EMAIL PROTECTED]> > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
