Re: Configuration of constrained delegation on windows 2003 server for LOCAL SYSTEM account

From: Vishal Agarwal[MSFT] (
Date: 09/27/03

Date: Sat, 27 Sep 2003 10:13:25 -0700

Local System corresponds to the Computer account. Have you tried
constraining the computer account?


This posting is provided "AS IS" with no warranties, and confers no rights
"paul yang" <> wrote in message
> Hi,
> Does anyone know how to configure constrained delegation using local
> system account?
> I have an ISAPI wildcard extension that is installed on exchange
> frontend server for OWA access. The function of the ISAPI extension is
> to create a logon handle for a user after user had been authenticated
> by some method other than windows authentication( for example,
> securid). The isapie extension calls LsaLogonUser to get a token and
> use the token to impersonate the user's identity in the child url
> execution.
> Things work fine if I install OWA, exchange server on the same
> machine. But in the frontend/backend configurtion of exchange server,
> where the frontend exchange authenticates user , then forwards the
> request to backend exchange server to access user's mailbox. I get
> 'access denied' message.
> It seems that the configuration for constrained delegation does not
> work. I followed the configuration steps in the MS whitepage 'Kerberos
> Protocol Trnasition and Constrained Delegation'. There is an example
> in that article that I was able to get it work.
> The difference of my exchange configuration and the example
> configuration is that the application pool that runs exchange server
> OWA in IIS uses Local System account, and the exchange server itself
> runs in Local System account too.
> whereas the example in that article uses domain user's identity to run
> sql service and IIS application pool.
> Since the Local System accout is a built-in accout, it does not show
> up in 'Active directory User and Computer' MMC. How can I delegate the
> service run in Local System account in one computer to service run in
> Local System account run in another computer? Assume that those
> computers are in the same windows 2003 AD domain.
> Any advice is appreciated.
> Thanks.
> Paul