jittrfunc
Reputation: 113
Relation between "Impersonate a client after authentication" right and Kerberos's "trusted for delegation" right
Do we also need to assign "Impersonate a client after authentication" right to the service account performing the Kerberos delegation in addition to the "Act as part of the operating system" right?
How each of these rights fits together?
Upvotes: 0
Views: 312
Answers (1)
Matt Andruff
Reputation: 5135
"Impersonate a client after authentication" - seems like a more secure delegation strategy intended to allow some freedom to impersonate with an attempt to restrict escalation of privileges.
"Act as part of the operating system" - God mode for delegation. Don't give this to a human user, only assign to a principle you trust.
Both should give you kerberos "Trusted for delegation" in kerberos land, but have slightly different windows land permissions.
Upvotes: 0
Related Questions
- Kerberos Resourced based constrained delegation in cross realm setup
- Problem on configure delegation in cross domain AD account
- How could impersonate in kerberos?
- Asp.net delegation
- Programmatic Impersonation Delegation For Remote Resources (Double-Hop)
- Kerberos, delegation and how to do this correctly?
- Kerberos Credential Delegation
- Kerberos authentication for delegation in IIS 7.0
- Impersonate with Delegation or More than one hop on Kerberos? Completely lost
- Authentication by delegation: what does it mean?