As a follow up, we recently convened a call with MS PS, and the SPN's I outlined below are indeed what are necessary. They are considered an "very low" risk from MS's standpoint, and the primary risk is to the user accounts that might be requesting delegation. IOW you aren't opening up additional attack surface(s) on your DCs or CAs.
Additionally you require auto-enrollment and or smartcard certs (the latter only for Vista+) in your domain to be configured on your CAs (something that is biting us). -sc From: Steven M. Caesare Sent: Tuesday, August 31, 2010 3:24 PM To: NTSysAdminList Subject: Win2K8 remote-EFS Constrained Delegation EFS of remote shares requires the file server be trusted for delegation (along with the user being allowed for delegation as well). And you need to have a PKI in place. Simply delegating the entire fileserver works, but can be a security issue. Constrained delegation is available in Win2K3 and above to deal with this, but there is a dearth of info that I can find that indicates what SPN's would need to specifically be delegated to get this to work. I found one post where the following was suggested: On the file server- cifs; ldap; protectedstorage (add for each DC) HOST (add for your cert authority) Now, this SEEMS to work for me, but I'm not sure if this is only because I had previously delegated the entire fileserver and there's a setting "left over". (I've gpupdate'd my file server and client test machine). I guess I'm somewhat surprised at this recommendation, because even though I'm performing these delegations on the file-server AD object, I'm actually specifying services on other machines.... Thoughts or pointers to where this might be explained more fully? Thanks. -sc ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
