In Windows Server, delegation is basically used when an account needs to impersonate another user. We can easily understood it with a real-time example like front-end webservers can impersonate users when accessing backend databases and provides seamless access to data users are allowed to view or edit. Windows Server Active Directory (AD) provides delegation for scenarios like this. In this guide, we’ll see how to configure Windows Server 2022 to be trusted for delegation.
So basically when you convert the local server into functional server, that server will be trusted for delegation using Kerberos protocol. However, you can always change this setting as per your requirement. Additionally, you can apply a new setting for the new servers/computers you add to the AD. On the newly released Windows Server 2022, you can configure different levels of delegation:
- No delegation (default)
- Unconstrained delegation*
- Constrained delegation (Use Kerberos Only Protocols)
- Constrained delegation (Use any authentication protocol)*
In above list, * marked levels are not recommended for practice.
The Kerberos delegation can be used to enable an application to access resources hosted on a different server. With Server 2022 or later, we’ve resource-based constrained delegation that improves on the constrained delegation model by removing the dependency on SPNs, the need for domain admin rights, allows the resource owner to control delegation, and provides for cross-domain delegation. It works on computer accounts, user accounts, and service accounts.
Let us see how to configure Windows Server 2022 to be trusted for delegation.
Configure Windows Server 2022 to be trusted for delegation
1. Open Start Menu by pressing and go to Windows Administrative Tools > Active Directory Users and Computers.
2. In Active Directory Users and Computers, go to Domain Controllers. In the right pane, right click on the computer you wanted to be trusted for delegation and select Properties.
3. On the property sheet, go to Delegation tab. Here, you can select Trust this computer for delegation to any service (Kerberos only). If you want delegation for particular services only, instead select Trust this computer for delegation to specified services only. Make sure you select Use Kerberos only after that.
4. Once done, click Apply, OK to apply the changes.
That’s it!
Related: How To Use Delegate Control In Active Directory.
Leave a Reply