Saturday, 11 June 2016

Configuring Kerberos delegation

Posted by: Ashwin Venugopal
  • Kerberos delegation (a.k.a. Kerberos impersonation) enables a remote computer or service account to act on behalf of a user.
  • For added additional security we can use Kerberos-constrained delegation, this will limit which resources can be accessed through delegation.
  • Kerberos delegation is widely used in web environments with IIS and Microsoft SQL Server.
    • For example, IIS based website that uses data stored in a SQL database. When a user connects to this website, the IIS server must query the SQL database for the data to render the website. 
    • With Kerberos delegation, the query occurs based on the user account. 
    • Without Kerberos delegation, the query occurs based on a service account.
      • Some of the advantages of using Kerberos delegation:
        • SQL logs will show queries from the user account, which is important for auditing and compliance.
        • Access to SQL data is based on the user account instead of a service account.
          • Now, here we can give those data only that the user has access to.
        • Authentication takes place one time when the user accesses the website.
Configuring Constrained Delegation
  1. On the domain controller, open Active Directory Users and Computers.
  2. In the console tree, under DomainName, click Computers.
  3. Right-click the Web server, and then click Properties.
  4. On the Delegation tab
    • Click Trust this computer for delegation to specified services only.
    • Click Use any authentication protocol.
    • Click Add, and then click Users and Computers.
    • Type the name of the computer running the service, and then click OK.
    • From the list of available services, select the required the services, and then click OK.
Thanks for reading.

No comments:

Post a Comment