Re: Configuration of constrained delegation on windows 2003 server for LOCAL SYSTEM account

From: Vishal Agarwal[MSFT] (vishala_at_online.microsoft.com)
Date: 09/27/03


Date: Sat, 27 Sep 2003 10:13:25 -0700


Local System corresponds to the Computer account. Have you tried
constraining the computer account?

Thanks,
Vishal[MSFT]

-- 
This posting is provided "AS IS" with no warranties, and confers no rights
"paul yang" <pyang@rsasecurity.com> wrote in message
news:458f5504.0309251956.40c9ee00@posting.google.com...
> Hi,
>
> Does anyone know how to configure constrained delegation using local
> system account?
>
> I have an ISAPI wildcard extension that is installed on exchange
> frontend server for OWA access. The function of the ISAPI extension is
> to create a logon handle for a user after user had been authenticated
> by some method other than windows authentication( for example,
> securid). The isapie extension calls LsaLogonUser to get a token and
> use the token to impersonate the user's identity in the child url
> execution.
>
> Things work fine if I install OWA, exchange server on the same
> machine. But in the frontend/backend configurtion of exchange server,
> where the frontend exchange authenticates user , then forwards the
> request to backend exchange server to access user's mailbox. I get
> 'access denied' message.
>
> It seems that the configuration for constrained delegation does not
> work. I followed the configuration steps in the MS whitepage 'Kerberos
> Protocol Trnasition and Constrained Delegation'. There is an example
> in that article that I was able to get it work.
>
> The difference of my exchange configuration and the example
> configuration is that the application pool that runs exchange server
> OWA in IIS uses Local System account, and the exchange server itself
> runs in Local System account too.
> whereas the example in that article uses domain user's identity to run
> sql service and IIS application pool.
>
> Since the Local System accout is a built-in accout, it does not show
> up in 'Active directory User and Computer' MMC. How can I delegate the
> service run in Local System account in one computer to service run in
> Local System account run in another computer? Assume that those
> computers are in the same windows 2003 AD domain.
>
> Any advice is appreciated.
>
> Thanks.
>
> Paul


Relevant Pages

  • Re: Cant create a explorer process with NT-AUTHORITYSYSTEM Account,...
    ... well this first sounds a bit stupid, but for some special reason i ... start a explorer.exe with the Local System Acount Token? ... even when i start it with the Token from the Local System Account inside ... Both work with sockets and Service Control Codes and interact ...
    (microsoft.public.win32.programmer.kernel)
  • Re: Cant create a explorer process with NT-AUTHORITYSYSTEM Account,...
    ... start a explorer.exe with the Local System Acount Token? ... even when i start it with the Token from the Local System Account inside ... Both work with sockets and Service Control Codes and interact ...
    (microsoft.public.win32.programmer.kernel)
  • Cant create a explorer process with NT-AUTHORITYSYSTEM Account,...
    ... well this first sounds a bit stupid, but for some special reason ... start a explorer.exe with the Local System Acount Token? ... even when i start it with the Token from the Local System Account inside ... Both work with sockets and Service Control Codes and interact ...
    (microsoft.public.win32.programmer.kernel)
  • Re: c# widows services...
    ... to access network resources. ... Another major difference when running under the Local System account is ... that you don't have access to the desktop session of the ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Event Sink registration in c++
    ... This service provides maibox access to all the users in our system. ... The question is if running the service under the local system account is ... send me a sample of the event sink registration c++ code. ... notifications from the exchange server using the local system account. ...
    (microsoft.public.exchange2000.development)