Re: Kerberos Ticket User

From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 04/27/05 

Date: Wed, 27 Apr 2005 11:07:13 -0400

Strictly speaking, any kerberized computer in an AD domain has a user account,
it is the machine account of the computer. This means you can ACL resources for
specific machines. The LocalSystem and NetworkService well known security
principals use the computer credentials when accessing remote resources.

For instance, if I wanted the LocalSystem/NetworkService on one DC to be able to
access a file share on a computer, I can add the machine account for that DC to
the ACL on that file share and then anything running under those two contexts
could access that file share.

Not sure if the proxy server is smart enough to work with this but if you are
simply setting an ACL and the proxy is on a machine that is part of the forest,
it *may* work. 

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Will wrote:
> If you are not familiar with Microsoft Proxy Server 2.0, it has a
> mode where only domain accounts can get through the proxy.
> SYSTEM accounts are always forbidden from getting through the
> proxy.
> 
> I need kerberos tickets to pass out through the proxy.   The only
> way I can think to make that happen is for the Kerberos ticket
> service to run as a domain account.
> 
> Is there any way to run the Kerberos ticket server under the
> permissions of a specific domain user, or did Microsoft hack it
> in such a way that it must always run as SYSTEM?
> 
> What is the purpose of the krbtgt account if it is always
> disabled?
>

Relevant Pages

  • Re: impersonation using kerberos
    ... and then finding out you can enable kerberos event logging.... ... and for the computer account contains ... This error appears on my SQL box ... KDC cannot accommodate requested option. ...
    (microsoft.public.win2000.active_directory)
  • Re: rename AD user account creates problem with autocomplete in Ou
    ... I dont really see the point to changing the RDN portion as this really affects the login account name and will break mailflow. ... With any proxy changes you need to make sure that the mail attribute and the primary proxy address are the same as the below example ... object from both domain controllers to ensure that it is the same on both ... > for the account that was in the AutoComplete as dpritchard ...
    (microsoft.public.exchange.admin)
  • Re: Seamless/transparent SSO with Apache, Win2003, IE
    ... Did you have the 'Use DES encryption types for this account' option ticked ... I'm trying to create a seamless sign on to a web site ... using Solaris (Kerberos installed), Apache ... Sequence number: 315 (relative sequence number) ...
    (comp.protocols.kerberos)
  • Re: Howto refresh IIS 6 Application pool identity credential info
    ... I doubt the cluster environment has problems with kerberos tickets, ... Only account A has access to database DB-A ... Application A and Application B have an application security based on ... The Pool identity is the one accessing the backend resources like ...
    (microsoft.public.inetserver.iis.security)
  • RE: Excel Calculation Services
    ... \par Have you tried to use the Kerberos to delegate the credentials? ... If the sharepoint application pool is a domain account, then you must register an SPN for it, e.g. ... \par As for accessing data sources using delegation from excel services, ...
    (microsoft.public.sharepoint.portalserver.development)