Hi- I have no clue how this works in reality, but, cifs is the service name for file services. Do you have a link that describes this so I can understand who is delegating to who/what? I can probably answer properly based on that.
Either way, all the Kerb delegation stuff is in AD - no need to do gpudpate or anything Thanks, Brian Desmond [email protected] c - 312.731.3132 From: Steven M. Caesare [mailto:[email protected]] Sent: Tuesday, August 31, 2010 12:24 PM To: NT System Admin Issues Subject: Win2K8 remote-EFS Constrained Delegation EFS of remote shares requires the file server be trusted for delegation (along with the user being allowed for delegation as well). And you need to have a PKI in place. Simply delegating the entire fileserver works, but can be a security issue. Constrained delegation is available in Win2K3 and above to deal with this, but there is a dearth of info that I can find that indicates what SPN's would need to specifically be delegated to get this to work. I found one post where the following was suggested: On the file server- cifs; ldap; protectedstorage (add for each DC) HOST (add for your cert authority) Now, this SEEMS to work for me, but I'm not sure if this is only because I had previously delegated the entire fileserver and there's a setting "left over". (I've gpupdate'd my file server and client test machine). I guess I'm somewhat surprised at this recommendation, because even though I'm performing these delegations on the file-server AD object, I'm actually specifying services on other machines.... Thoughts or pointers to where this might be explained more fully? Thanks. -sc ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
