1. Welcome Guest! In order to create a new topic or reply to an existing one, you must register first. It is easy and free. Click here to sign up now!.
    Dismiss Notice

EFS file sharing with constrained delegation

Discussion in 'Windows Security' started by Ondrej Sevecek, Jun 18, 2009.

  1. Ondrej Sevecek

    Ondrej Sevecek Guest

    Hello,

    would you be please able to give me an authoritative answer whether (and
    then how) Windows Server 2008 (domain member) acting as a file server for
    EFS encrypted files can use CONSTRAINED delegation to obtain EFS encryption
    certificates for users from an enterprise CA?

    Currently, it works for me with UNconstrained delegation (the "trust
    computer for delegation to any service"), it normally obtaines kerberos
    tickets for several services such as CIFS/dc, ProtectedStorage/dc, LDAP/dc,
    GC/dc and HOST/ca etc.

    But when I switch it to the constrained ("trust computer for delegation to
    specified services only - kerberos only") and list the services manually,
    the file server then is not willing to delegate to CIFS/dc at all and is
    using just anonymous connection which is refused with access denied.

    This looks like the file server is generally not able/willing to use
    constrained delegation for shared files at all (as tested with ASP
    FileSystemObject script which also works only with unconstrained
    delegation).

    ondrej sevecek
    MVP, MCM:DS
     
    Ondrej Sevecek, Jun 18, 2009
    #1

Share This Page