pher wrote: > Thank you, but I cannot change anything in the AD, although I am the Domain > Admin. > I always get error messages "Your security settings do not allow you to > specify whether or not this account is to be trusted for delegation".
There is a Group Policy setting *on the Domain Controller* that must be changed. It lists the users and groups of users that can set this bit in the userAccountControl It defaults to Administrators. I am not an Admin9istrator, but am in another roup that can create accounts for unix hosts, and can set this bit. Our AD admind spent some time looking for it. With AD2003 There is a GUI interface to set it. Start here: http://technet2.microsoft.com/windowsserver/en/library/a9fd0aa2-301c-42b3-a7b1-2595631c389f1033.mspx?mfr=true Then look for "For a Group Policy object, when you are on a domain controller or on a workstation that has the Windows Server 2003Administration Tools Pack installed." You must be on the DC to set the policy. > > I almost know by heart all technet articles about delegation, but I'm still > unable to trust computer or users for delegation. > I'm desperate > > Pierrot > > > "Douglas E. Engert" <[EMAIL PROTECTED]> wrote in message > news:[EMAIL PROTECTED] >> This sounds like what you are looking for: >> >>> -------- Original Message -------- >>> Subject: Re: Negotiate on Windows with cross-realm trust AD and MIT >>> Kereros. >>> Date: Wed, 18 Jul 2007 09:04:12 -0500 >>> From: Douglas E. Engert <[EMAIL PROTECTED]> >>> To: [EMAIL PROTECTED] >>> CC: Achim Grolms <[EMAIL PROTECTED]>, modauthkerb-help >>> <[EMAIL PROTECTED]>, kerberos <[email protected]> >>> References: <[EMAIL PROTECTED]> >>> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> >>> <[EMAIL PROTECTED]> >>> <[EMAIL PROTECTED]> >>> >>> You asked how to do this is AD... >>> >>> An AD admin set the TRUSTED_FOR_DELEGATION in UserAccountControl for the >>> server. >>> But not just any admin can set this, who can set the bit is controlled by >>> a group >>> control policy on the DC. In 2000 you had to edit a file. In 2003 there >>> is a way to >>> set it see below. >>> >>> >>> UserAccountControl definitions: >>> http://support.microsoft.com/kb/305144 >>> >>> >>> Some pointers to trusted for delegation >>> http://support.microsoft.com/kb/250874 >>> http://support.microsoft.com/kb/322143/EN-US/ >>> http://technet2.microsoft.com/windowsserver/en/library/72612d01-622c-46b7-ab4a-69955d0687c81033.mspx?mfr=true >>> >>> >>> Enable computer and user accounts to be trusted for delegation >>> http://technet2.microsoft.com/windowsserver/en/library/a9fd0aa2-301c-42b3-a7b1-2595631c389f1033.mspx?mfr=true >>> >> >> >> >> >> [EMAIL PROTECTED] wrote: >>> Hello all >>> I'm trying to setup Kerberos on my Windows 2003 domain. I already had >>> to raise the domain functional level to Windows 2003 in order to get >>> the Delegation tab in the SQLservice account. Now, when I try to "trust >>> this user for delegation to any service >>> (Kerberos only)", I get an Access Denied from the Active Directoy, >>> although I'm logged in as domain admin. >>> I suppose I'm missing something somewhere, but what ? >> >> >>> Pierrot >>> ________________________________________________ >>> Kerberos mailing list [email protected] >>> https://mailman.mit.edu/mailman/listinfo/kerberos >>> >>> >> -- >> >> Douglas E. Engert <[EMAIL PROTECTED]> >> Argonne National Laboratory >> 9700 South Cass Avenue >> Argonne, Illinois 60439 >> (630) 252-5444 > > > ________________________________________________ > Kerberos mailing list [email protected] > https://mailman.mit.edu/mailman/listinfo/kerberos > > -- Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
