Re: Configuration of constrained delegation on windows 2003 server for LOCAL SYSTEM account
From: Vishal Agarwal[MSFT] (vishala_at_online.microsoft.com)
Date: Sat, 27 Sep 2003 10:13:25 -0700
Local System corresponds to the Computer account. Have you tried
constraining the computer account?
-- This posting is provided "AS IS" with no warranties, and confers no rights "paul yang" <email@example.com> wrote in message news:firstname.lastname@example.org... > Hi, > > Does anyone know how to configure constrained delegation using local > system account? > > I have an ISAPI wildcard extension that is installed on exchange > frontend server for OWA access. The function of the ISAPI extension is > to create a logon handle for a user after user had been authenticated > by some method other than windows authentication( for example, > securid). The isapie extension calls LsaLogonUser to get a token and > use the token to impersonate the user's identity in the child url > execution. > > Things work fine if I install OWA, exchange server on the same > machine. But in the frontend/backend configurtion of exchange server, > where the frontend exchange authenticates user , then forwards the > request to backend exchange server to access user's mailbox. I get > 'access denied' message. > > It seems that the configuration for constrained delegation does not > work. I followed the configuration steps in the MS whitepage 'Kerberos > Protocol Trnasition and Constrained Delegation'. There is an example > in that article that I was able to get it work. > > The difference of my exchange configuration and the example > configuration is that the application pool that runs exchange server > OWA in IIS uses Local System account, and the exchange server itself > runs in Local System account too. > whereas the example in that article uses domain user's identity to run > sql service and IIS application pool. > > Since the Local System accout is a built-in accout, it does not show > up in 'Active directory User and Computer' MMC. How can I delegate the > service run in Local System account in one computer to service run in > Local System account run in another computer? Assume that those > computers are in the same windows 2003 AD domain. > > Any advice is appreciated. > > Thanks. > > Paul