Thanks for the info.
When you say any service could leverage tokens from other users are you referring to services that are running on that box or services running somewhere on the network? If the server is secure and limited people have access to it, wouldn't that make more secure?
Thanks
Y
From: Grillenmeier, Guido
Sent: Thu 07/10/2004 6:26 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Trust Computer for delegation
if you have Win2000, you'll be opening security holes since basically any service could leverage tokens from other users connecting to it to do whatever it likes as the user
that's why in 2003, constrained delegation was added, so you can configure it for just a specific service...
/Guido
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AD
Sent: Thursday, October 07, 2004 9:01 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Trust Computer for delegation
Ladies and Gentlemen,
Can someone tell me what exactly happens or what the ramifications are when you enable "Trust Computer for delegation"?
I wrote an ASP.NET app that uses current credentials to authenticate. I know that the web app works when this "Feature" is on, and I know that it doesn't when it is off.
I know that it allows for the forwarding of Kerberos tickets from a different computer but I do not know if this breaks or better yet opens the door for hackers.
Any feedback on this matter would be appreciated.
Thanks
Yves
