Re: "Account is trusted for delegation" is not shown

Thanks a lot, Meinolf.

"Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb669899d8ca7dee68c6311a@xxxxxxxxxxxxxxxxxxxxxxx
Hello RaYlee,

Did you install the support tools to run setspn?
Then run in a command window:
setspn -a SPN domain.com\username

Where SPN is the servicename/computername (MESSENGER/SERVERNAME for
example)

setspn -a MESSENGER/SERVERNAME domain.com\username

This will add the delegation tab to the useraccount you specified.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Hello Meinolf,

Thanks for your fast response. I really appreciate.

But I tried it many times in our office's windows 2003 server on
setspn
command, but always failed
to add one SPN.
Is the command executed on the 2003 server?

Do you have any experience on running this command?

Thanks,
Raymond
"Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb66988e78ca7dabc2b76959@xxxxxxxxxxxxxxxxxxxxxxx

Hello RaYlee,

Depends on the functional level, if you set it from a client with an
older adminpak on 2000 pro, you can still enable it. On the 2003
ADUC then you have an additional tab called DELEGATION on the user
properties.

Or you can enable the DELEGATION tab yourself for the user if needed
on

2003 ADUC:

http://technet2.microsoft.com/windowsserver/en/library/bef202b0-c8e9-
4999-9af7-f56b991a4fd41033.mspx?mfr=true

If you cannot see the Delegation tab, do one or both of the
following: Register a Service Principal Name (SPN) for the user
account with the Setspn utility in the support tools on your CD.
Delegation is only intended to be used by service accounts, which
should have registered SPNs, as opposed to a regular user account
which typically does not have SPNs.

Also see here:
http://technet2.microsoft.com/windowsserver/en/library/dac7ecea-7c82-
43c0-847b-3a1a81454cfe1033.mspx?mfr=true
http://technet2.microsoft.com/windowsserver/en/library/bef202b0-c8e9-
4999-9af7-f56b991a4fd41033.mspx?mfr=true

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
My god...I figured out what's happening.

It should be caused by raising functional level to windows 2003. I
found
that my testing PC at home is using
windows 2000 functional level. After I raise it to windows 2003, the
"Account is trusted for delegation"
disappear from the option list.
What should I do now?? As those installation guides require to set
this
option, if this disappear,
where I can proceed?
Please advice...
Raymond

"RaYlee" <pplcm@xxxxxxx> wrote in message
news:Ob4xQ23rIHA.4376@xxxxxxxxxxxxxxxxxxxxxxx
Hi all,

This is the first time I post question here...glad to have these
newsgroup for seeking help.

I encounter a problem in setting a property for a domain account.

I need to enable an account option for a user "Account is trusted
for
delegation" in the user's properties
under Active Directory, however, this option is not available in
the
Active Directory Users and Computer
in office computer. When I back home and turn on my testing PC, I
found
that this option is shown
on the form.
I really don't understand what is missing in our office's windows
2003 server configuration?
Please kindly help.

Thanks in advance,
Raymond




.

Relevant Pages

  • Re: "Account is trusted for delegation" is not shown
    ... Where SPN is the servicename/computername (MESSENGER/SERVERNAME for ... This will add the delegation tab to the useraccount you specified. ... account with the Setspn utility in the support tools on your CD. ... It should be caused by raising functional level to windows 2003. ...
    (microsoft.public.windows.server.general)
  • Re: "Account is trusted for delegation" is not shown
    ... Did you install the support tools to run setspn? ... Where SPN is the servicename/computername ... account with the Setspn utility in the support tools on your CD. ... It should be caused by raising functional level to windows 2003. ...
    (microsoft.public.windows.server.general)
  • SETSPN breaks access to IIS web site
    ... I used SETSPN to create a servicePrincipalName for the account I'm ... To confirm that SETSPN was the problem, I deleted the SPN using SETSPN ... IIS server, which was a member of Administrators on the server, could ...
    (microsoft.public.win2000.security)
  • RE: Integrated Security fails using machine name, succeeds using FQN
    ... I think you have an SPN problem. ... by running setspn -l domain\user. ... If your app pool is running under a system account, ... registered for the DNS alias to the machine name by running setspn -l foobar. ...
    (microsoft.public.inetserver.iis.security)
  • Re: SETSPN website doesnt work
    ... I try to register one of my IIS webseite with a special account. ... I can't see the SPN with the SETSPN -L server1 ...
    (microsoft.public.windows.server.active_directory)