[28609] in Kerberos
Re: Trust user for delegation: AD access denied
daemon@ATHENA.MIT.EDU (pher)
Thu Oct 25 05:45:12 2007
From: "pher" <pierrot.heritier@unifr.ch>
Date: Thu, 25 Oct 2007 11:33:07 +0200
Message-ID: <4f6dnVBIC8pC_73aRVnyiAA@giganews.com>
X-Complaints-To: abuse@giganews.com
To: kerberos@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Thank you, but I cannot change anything in the AD, although I am the Domain
Admin.
I always get error messages "Your security settings do not allow you to
specify whether or not this account is to be trusted for delegation".
I almost know by heart all technet articles about delegation, but I'm still
unable to trust computer or users for delegation.
I'm desperate
Pierrot
"Douglas E. Engert" <deengert@anl.gov> wrote in message
news:mailman.26.1192804737.4570.kerberos@mit.edu...
> This sounds like what you are looking for:
>
>> -------- Original Message --------
>> Subject: Re: Negotiate on Windows with cross-realm trust AD and MIT
>> Kereros.
>> Date: Wed, 18 Jul 2007 09:04:12 -0500
>> From: Douglas E. Engert <deengert@anl.gov>
>> To: mikkel@linet.dk
>> CC: Achim Grolms <kerberosml@grolmsnet.de>, modauthkerb-help
>> <modauthkerb-help@lists.sourceforge.net>, kerberos <kerberos@mit.edu>
>> References: <1184231952.3026.34.camel@tux.lib.cbs.dk>
>> <f76c3n$1bb$1@sea.gmane.org> <1184658106.3276.3.camel@tux.lib.cbs.dk>
>> <200707172125.18286.kerberosml@grolmsnet.de>
>> <1184745677.3078.5.camel@tux.lib.cbs.dk>
>>
>> You asked how to do this is AD...
>>
>> An AD admin set the TRUSTED_FOR_DELEGATION in UserAccountControl for the
>> server.
>> But not just any admin can set this, who can set the bit is controlled by
>> a group
>> control policy on the DC. In 2000 you had to edit a file. In 2003 there
>> is a way to
>> set it see below.
>>
>>
>> UserAccountControl definitions:
>> http://support.microsoft.com/kb/305144
>>
>>
>> Some pointers to trusted for delegation
>> http://support.microsoft.com/kb/250874
>> http://support.microsoft.com/kb/322143/EN-US/
>> http://technet2.microsoft.com/windowsserver/en/library/72612d01-622c-46b7-ab4a-69955d0687c81033.mspx?mfr=true
>>
>>
>> Enable computer and user accounts to be trusted for delegation
>> http://technet2.microsoft.com/windowsserver/en/library/a9fd0aa2-301c-42b3-a7b1-2595631c389f1033.mspx?mfr=true
>>
>
>
>
>
>
> pierrot.heritier@unifr.ch wrote:
>> Hello all
>> I'm trying to setup Kerberos on my Windows 2003 domain. I already had
>> to raise the domain functional level to Windows 2003 in order to get
>> the Delegation tab in the SQLservice account. Now, when I try to "trust
>> this user for delegation to any service
>> (Kerberos only)", I get an Access Denied from the Active Directoy,
>> although I'm logged in as domain admin.
>> I suppose I'm missing something somewhere, but what ?
>
>
>
>> Pierrot
>> ________________________________________________
>> Kerberos mailing list Kerberos@mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>>
>
> --
>
> Douglas E. Engert <DEEngert@anl.gov>
> Argonne National Laboratory
> 9700 South Cass Avenue
> Argonne, Illinois 60439
> (630) 252-5444
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos