Configuring an Account for Delegation Using Active Directory

Because delegate-level impersonation is such a powerful feature, with potential security risks, the behavior of delegation is controlled administratively through the Active Directory service. When a client application is granting a server permission to do delegate-level impersonation, the following two requirements must be met for it to work:

• The server application must be running under an identity that is marked as "Trusted for delegation" in Active Directory.
  
  
• The client application must be running under an identity that is not marked as "Account is sensitive and cannot be delegated" in Active Directory.

To set a user account to use delegation

1. On the server that you have designated as your domain controller, click the Active Directory Users and Computers administrative tool.
   
   
2. Under your domain, click the Users folder.
   
   
3. Right-click the user account that you are allowing to use delegation, and then click Properties.
   
   
4. Click the Account tab.
   
   
5. If you want to allow the account to run as the identity of a server that can use delegate-level impersonation, under Account options, select the Account is trusted for delegation check box.
   
   
6. If you want to allow the account to run as the identity of a client that can use delegate-level impersonation, under Account options, clear the Account is sensitive and cannot be delegated check box.
   
   
7. Click OK.

The new user account settings take effect when the Active Directory schema is next updated (usually within 5 minutes if there are no network problems).

If the server process is running under a system account, the principal account is the computer account in the Active Directory. In this case, the computer account must be set to use delegation.

To set a computer account to use delegation

1. On the server that you have designated as your domain controller, click the Active Directory Users and Computers administrative tool.
   
   
2. Under your domain, click the Computers folder.
   
   
3. Right-click the computer account that you are allowing to use delegation, and then click Properties.
   
   
4. On the General tab, select the Trust computer for delegation check box.
   
   
5. Click OK.

The new computer account settings take effect when the Active Directory schema is next updated (usually within 5 minutes if there are no network problems).

For more information about enabling delegation in Active Directory, see the help associated with the Active Directory Users and Computers administrative tool.

For step-by-step instructions on setting the impersonation level of COM+ server applications, see Setting an Impersonation Level in COM+.