SPN and "Delegation" Tab in ADUC

    Hi everyone!
    This is my first post in this forum. Iím working on a very large active directory. However today my question is regards to something I have been trying to really understand conceptually and have scoured the internet for last 1.5 days and yet I do still not understand it fully. I still consider myself a beginner in AD. Our forest and domain functional level is Windows Server 2003.
    In ADUC, under certain computer or user objectsís properties box is a tab called Delegation. It has 3 options. I have so far understood that whichever option you select the UAC of that object increases by 16777216 or 524288 respectively.
    However Iím not quite getting it as to what this really does. And what it is really used for.
    I have read lots of articles on technet which tells you the theory eg:

    {I can't post the exact urls as this is my first post and forum doesnt allow me to post unles I've made 5 posts}

    However Iím still unclear as these articles donít actually tell you what Delegation is all about and they donít present any case study type scenario where this feature solved a problem. I did find a case scenario on citrx site but again it was not clear. Plus these articles use generic words like Service, Client, Authenticate, User and its difficult to put anything in context unless I have an infrastructure diagram in front of me so I understand what they mean by Service? Do they mean www service, SQL service? What does client mean? Does it mean the user account? Or the workstation account?
    1. So what I wanted was for somebody to please help me understand this conceptually by giving me a case study kind of thing (even if itís a very simple one). So that I can put all this theory into context.
    2. Also Iím unclear on when to use ďTrusted for DelegationĒ tab on user accounts and when to use it on computer accounts. If someone can give me some examples that will really really help.
    3. SPN Ė What relation does SPN have with point 2 above? I know that the delegation tab only becomes available only for those accounts (user or computer) where an SPN has been set either automatically or using the setSPN tool.

    So Iím going to write here what I have understood. I donít know if this is right (I tend to think it may be inaccurate) so that you can understand and correct me.

    Lets say we have a WebServer (sharepoint named Server1) and a Domain Controller (DC1) and a Laptop(workstation named WS001) and a user account (GT) who wants to access Sharepoint portal to sees some documents on his laptop. Then we have a ServiceAccount (Domain\svcSP001) which is the account underwhich the application pool on IIS7 is running on Sharepoint Server.

    1. User opens browser and types the sharepoint website address.
    2. Sharepoint application on Server1 (which is running under DOMAIN\svcSP001) impersonates the user Ė GTís credentials and passes them on to the Domain Controller to validate GTís identity
    3. Domain Controller issues a Service Ticket (Kerberos) to GT.
    4. Sharepoint checks to see if GT is in the correct AD security group(s) and authorises access as required.
    So in the above case, we go to ADUC and create an SPN for the Sharepoint Web server (running IIS) on the Server1 computer account.
    Then we go to the properties>Delegation tab for SVC001 and select option 3 and enter the object as Server1
    Is that correct? Or completely wrong? Lol
    Please I will really appreciate if someone can help me solve this mystery.
    Thanks for reading my question
    - Gtrivedi

    Re: Please help I'm a newbie - SPN and "Delegation" Tab in ADUC


    Please find these articles below. In order to understand these articles i would suggest you to make a meaniful diagram while you go through it It will help you in understanding process

    What is Delegation

    What is SPN

    This is from technet (tells you why you need spn)
    # Register a Service Principal Name (SPN) for the computer account using the Setspn utility in the support tools that are on your CD. Delegation is only intended to be used by service accounts, which should have registered SPNs, as opposed to a regular user account which typically does not have SPNs.

    # Raise the functional level of your domain to Windows Server 2003 . For more information, see Related Topics.
    Thanks & Regards

    MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
    Sr. Wintel Eng. (Investment Bank)
    Independent IT Consultant and Architect

      Re: SPN and "Delegation" Tab in ADUC


      Thank you. These articles are very good. Explains much much better.