Q. What can I do with the computer-object Delegation tab?

A. You can delegate. Helpful? Actually, it isn’t a typical delegation in which you allow a user or group to manage Active Directory (AD) attributes. Instead, this delegation refers to server-authorization delegation, which allows a service to impersonate another user or computer account to access network resources.

Using the Computer Properties Delegation tab, shown below, you can allow the computer to delegate credentials to any service through the Kerberos authentication protocol, which means any computer service can access any network resource by impersonating a connected user.

The other, preferred option, is to enable delegation for only specified services, which is known as constrained delegation. It’s the more secure option because the administrator controls to which service-principal-names (SPNs) the account may delegate.

This type of delegation is commonly used in instances when a user accesses a computer service, and the service must access another network resource. The catch is that access is only possible if the service uses the user’s credentials instead of the computer’s local system.

In the Add Services dialog box, I chose a remote server, savdaldc01, and opened Computer Properties. Next, I selected the Delegation tab, then clicked the button next to the “Trust This Computer for Delegation to Specified Services Only” option. The Add Services dialog box popped up, and I chose to delegate the Common Internet File System (CIFS) service to the remote computer’s permissions. In this example, I’m running a Web site on the SRV01server, and the Web site must access file services on the DC01server, but must access them as the user logged on to the Web site. I had to delegate the CIFS service to the remote computer to employ the user’s credentials to access theDC01 files.