Re: "Account is trusted for delegation" is not shown

Hello RaYlee,

You're welcome.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Thanks a lot, Meinolf.

"Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb669899d8ca7dee68c6311a@xxxxxxxxxxxxxxxxxxxxxxx

Hello RaYlee,

Did you install the support tools to run setspn?
Then run in a command window:
setspn -a SPN domain.com\username
Where SPN is the servicename/computername (MESSENGER/SERVERNAME for
example)

setspn -a MESSENGER/SERVERNAME domain.com\username

This will add the delegation tab to the useraccount you specified.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Hello Meinolf,

Thanks for your fast response. I really appreciate.

But I tried it many times in our office's windows 2003 server on
setspn
command, but always failed
to add one SPN.
Is the command executed on the 2003 server?
Do you have any experience on running this command?

Thanks,
Raymond
"Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb66988e78ca7dabc2b76959@xxxxxxxxxxxxxxxxxxxxxxx
Hello RaYlee,

Depends on the functional level, if you set it from a client with
an older adminpak on 2000 pro, you can still enable it. On the
2003 ADUC then you have an additional tab called DELEGATION on the
user properties.

Or you can enable the DELEGATION tab yourself for the user if
needed on

2003 ADUC:

http://technet2.microsoft.com/windowsserver/en/library/bef202b0-c8e
9- 4999-9af7-f56b991a4fd41033.mspx?mfr=true

If you cannot see the Delegation tab, do one or both of the
following: Register a Service Principal Name (SPN) for the user
account with the Setspn utility in the support tools on your CD.
Delegation is only intended to be used by service accounts, which
should have registered SPNs, as opposed to a regular user account
which typically does not have SPNs.

Also see here:
http://technet2.microsoft.com/windowsserver/en/library/dac7ecea-7c8
2- 43c0-847b-3a1a81454cfe1033.mspx?mfr=true
http://technet2.microsoft.com/windowsserver/en/library/bef202b0-c8e
9- 4999-9af7-f56b991a4fd41033.mspx?mfr=true

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties,
and
confers no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
My god...I figured out what's happening.

It should be caused by raising functional level to windows 2003. I
found
that my testing PC at home is using
windows 2000 functional level. After I raise it to windows 2003,
the
"Account is trusted for delegation"
disappear from the option list.
What should I do now?? As those installation guides require to set
this
option, if this disappear,
where I can proceed?
Please advice...
Raymond
"RaYlee" <pplcm@xxxxxxx> wrote in message
news:Ob4xQ23rIHA.4376@xxxxxxxxxxxxxxxxxxxxxxx
Hi all,

This is the first time I post question here...glad to have these
newsgroup for seeking help.

I encounter a problem in setting a property for a domain account.

I need to enable an account option for a user "Account is trusted
for
delegation" in the user's properties
under Active Directory, however, this option is not available in
the
Active Directory Users and Computer
in office computer. When I back home and turn on my testing PC, I
found
that this option is shown
on the form.
I really don't understand what is missing in our office's windows
2003 server configuration?
Please kindly help.
Thanks in advance,
Raymond


.

Relevant Pages

  • Re: "Account is trusted for delegation" is not shown
    ... Did you install the support tools to run setspn? ... Where SPN is the servicename/computername ... account with the Setspn utility in the support tools on your CD. ... It should be caused by raising functional level to windows 2003. ...
    (microsoft.public.windows.server.general)
  • Re: "Account is trusted for delegation" is not shown
    ... Did you install the support tools to run setspn? ... Where SPN is the servicename/computername (MESSENGER/SERVERNAME for ... account with the Setspn utility in the support tools on your CD. ... It should be caused by raising functional level to windows 2003. ...
    (microsoft.public.windows.server.general)
  • Re: Kerberos ( Web Service)
    ... I know I'm supposed to create an SPN for a domain account and run the ... The only account that needs the rights to delegate is the service process ... The target of the delegation doesn't need ...
    (microsoft.public.platformsdk.security)
  • Re: System.UnauthorizedAccessException
    ... It looks like this article applies to Windows 2000 only, ... Kerberos delegation allows you to flow an authenticated identity ... The client account that is being impersonated is not marked as ... Confirm that the Server Process Account is Trusted for Delegation ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: System.UnauthorizedAccessException
    ... It looks like this article applies to Windows 2000 only, ... Kerberos delegation allows you to flow an authenticated identity ... The client account that is being impersonated is not marked as ... Confirm that the Server Process Account is Trusted for Delegation ...
    (microsoft.public.dotnet.framework.aspnet.security)