Configuration of constrained delegation on windows 2003 server for LOCAL SYSTEM account

From: paul yang (
Date: 09/26/03

Date: 25 Sep 2003 20:56:26 -0700


Does anyone know how to configure constrained delegation using local
system account?

I have an ISAPI wildcard extension that is installed on exchange
frontend server for OWA access. The function of the ISAPI extension is
to create a logon handle for a user after user had been authenticated
by some method other than windows authentication( for example,
securid). The isapie extension calls LsaLogonUser to get a token and
use the token to impersonate the user's identity in the child url

Things work fine if I install OWA, exchange server on the same
machine. But in the frontend/backend configurtion of exchange server,
where the frontend exchange authenticates user , then forwards the
request to backend exchange server to access user's mailbox. I get
'access denied' message.

It seems that the configuration for constrained delegation does not
work. I followed the configuration steps in the MS whitepage 'Kerberos
Protocol Trnasition and Constrained Delegation'. There is an example
in that article that I was able to get it work.

The difference of my exchange configuration and the example
configuration is that the application pool that runs exchange server
OWA in IIS uses Local System account, and the exchange server itself
runs in Local System account too.
whereas the example in that article uses domain user's identity to run
sql service and IIS application pool.

Since the Local System accout is a built-in accout, it does not show
up in 'Active directory User and Computer' MMC. How can I delegate the
service run in Local System account in one computer to service run in
Local System account run in another computer? Assume that those
computers are in the same windows 2003 AD domain.

Any advice is appreciated.