Question - What is Constrained Delegation

J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Andy Wigley, Kishore Gopalan

Applies to

ASP.NET 2.0

Answer:

Kerberos delegation on Windows Server 2000 is unconstrained and servers that are configured as trusted for delegation in Active Directory can access any network resources or any machine on the network while using the impersonated user's security context. This represents a potential security threat, particularly if the Web server is compromised. To address this issue, Windows Server 2003 introduces constrained delegation. This allows administrators to specify exactly which services on a downstream server or a domain account can access when using an impersonated user's security context. Note: The list of services that can be accessed by delegation is maintained in an Active Directory list referred to as the A2D2 list.

Additional Resources

For more information on how to use constrained delegation, see "How To: Use Protocol Transition and Constrained Delegation in ASP.NET 2.0" at http://msdn.microsoft.com/library/en-us/dnpag2/html/PAGHT000024.asp

Attributes

Author: J.D. Meier, Alex Mackman, Blaine Wastell, Prashant Bansode, Andy Wigley, Kishore Gopalan

Category: Impersonation and Delegation

filePath: ..\Libraries\patterns & practices Library\faq\91fa3c27-b73d-4730-8a4c-23cbfa02af3e.xml

Pri: 2

Rule Type: Implementation

Source: patterns & practices Library

Status: Release

Technology: ASP.NET 2.0

Title: Question - What is Constrained Delegation

Topic: Security

Type: Question and Answer

ID: 91fa3c27-b73d-4730-8a4c-23cbfa02af3e