Re: Delegation with S4U or How to use S4U to impersonate a user on a remote server?
From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 10/13/05
- Next message: Dominick Baier [DevelopMentor]: "Re: Delegation with S4U or How to use S4U to impersonate a user on a remote server?"
- Previous message: Borislav Marinov: "Re: Delegation with S4U or How to use S4U to impersonate a user on a remote server?"
- In reply to: Borislav Marinov: "Re: Delegation with S4U or How to use S4U to impersonate a user on a remote server?"
- Next in thread: Dominick Baier [DevelopMentor]: "Re: Delegation with S4U or How to use S4U to impersonate a user on a remote server?"
- Reply: Dominick Baier [DevelopMentor]: "Re: Delegation with S4U or How to use S4U to impersonate a user on a remote server?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 12 Oct 2005 21:55:33 -0500
I'm not actually sure that is telling you that you can't delegate. If the
kerb ticket is forwardable and the service process has rights to delegate to
the target service using any protocol in AD, then it should work.
The ticket should have forwardable set unless the account in question is set
as "sensitive and cannot be delegated".
Joe K.
"Borislav Marinov" <bobbymarino@engineer.com> wrote in message
news:1129168144.799023.49030@g47g2000cwa.googlegroups.com...
>I am still getting an "Impersonation" token instead of
> "Delegation" token.
> Here is my process token before and the impersonation token produced by
> this process (note that the impersonation level on the second one IS
> NOT DELEGATION):
> ============= Original Process Token ===========
> Token: 0x00000090, PID: 0x00000550, TID: 0x00000d1c
> User: 'svctest@KERBEROS', ATTR:0x00000000
> Token type: TokenPrimary
> Session ID - token:0x00000000, Process:0x00000000
> Privilegues :
> SeTcbPrivilege :
> SeCreateTokenPrivilege :
> SeAssignPrimaryTokenPrivilege :
> SeIncreaseQuotaPrivilege :
> SeImpersonatePrivilege : Enabled DfltEnabled
> SeEnableDelegationPrivilege :
> SeChangeNotifyPrivilege : Enabled DfltEnabled
> SeSecurityPrivilege :
> SeBackupPrivilege :
> SeRestorePrivilege :
> SeSystemtimePrivilege :
> SeShutdownPrivilege :
> SeRemoteShutdownPrivilege :
> SeTakeOwnershipPrivilege :
> SeDebugPrivilege :
> SeSystemEnvironmentPrivilege :
> SeSystemProfilePrivilege :
> SeProfileSingleProcessPrivilege :
> SeIncreaseBasePriorityPrivilege :
> SeLoadDriverPrivilege :
> SeCreatePagefilePrivilege :
> SeUndockPrivilege :
> SeManageVolumePrivilege :
> SeCreateGlobalPrivilege : Enabled DfltEnabled
> SeMachineAccountPrivilege :
>
> ============= Impersonation Token ===========
> Token: 0x000000a4, PID: 0x00000550, TID: 0x00000d1c
> User: 'testsvc@KERBEROS', ATTR:0x00000000
> Token type: TokenImpersonation
> Session ID - token:0x00000000, Process:0x00000000
> ImpersonationLvl: SecurityImpersonation
> Privilegues :
> SeTcbPrivilege : Enabled DfltEnabled
> SeCreateTokenPrivilege : Enabled DfltEnabled
> SeAssignPrimaryTokenPrivilege : Enabled DfltEnabled
> SeImpersonatePrivilege : Enabled DfltEnabled
> SeEnableDelegationPrivilege : Enabled DfltEnabled
> SeChangeNotifyPrivilege : Enabled DfltEnabled
> SeMachineAccountPrivilege : Enabled DfltEnabled
>
- Next message: Dominick Baier [DevelopMentor]: "Re: Delegation with S4U or How to use S4U to impersonate a user on a remote server?"
- Previous message: Borislav Marinov: "Re: Delegation with S4U or How to use S4U to impersonate a user on a remote server?"
- In reply to: Borislav Marinov: "Re: Delegation with S4U or How to use S4U to impersonate a user on a remote server?"
- Next in thread: Dominick Baier [DevelopMentor]: "Re: Delegation with S4U or How to use S4U to impersonate a user on a remote server?"
- Reply: Dominick Baier [DevelopMentor]: "Re: Delegation with S4U or How to use S4U to impersonate a user on a remote server?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
