Ah... perhaps that explains what I just wrote to Brian regarding the need to access DC/cifs then...
-sc From: Ken Schaefer [mailto:[email protected]] Sent: Tuesday, August 31, 2010 9:33 PM To: NT System Admin Issues Subject: RE: Win2K8 remote-EFS Constrained Delegation Hi, We're implementing that here. I'll get a list of SPNs you need. You're actually configuring the ability of the file server to impersonate the end user to the DC. Part of this is to be able to find out what the user's settings are (e.g. where is their roaming profile, so that the file server can then go load the EFS cert) Cheers Ken From: Steven M. Caesare [mailto:[email protected]] Sent: Wednesday, 1 September 2010 3:24 AM To: NT System Admin Issues Subject: Win2K8 remote-EFS Constrained Delegation EFS of remote shares requires the file server be trusted for delegation (along with the user being allowed for delegation as well). And you need to have a PKI in place. Simply delegating the entire fileserver works, but can be a security issue. Constrained delegation is available in Win2K3 and above to deal with this, but there is a dearth of info that I can find that indicates what SPN's would need to specifically be delegated to get this to work. I found one post where the following was suggested: On the file server- cifs; ldap; protectedstorage (add for each DC) HOST (add for your cert authority) Now, this SEEMS to work for me, but I'm not sure if this is only because I had previously delegated the entire fileserver and there's a setting "left over". (I've gpupdate'd my file server and client test machine). I guess I'm somewhat surprised at this recommendation, because even though I'm performing these delegations on the file-server AD object, I'm actually specifying services on other machines.... Thoughts or pointers to where this might be explained more fully? Thanks. -sc ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
