|
Posted by Ondrej Sevecek on June 18, 2009, 4:35 am
If you were Registered and logged in, you could reply and use other advanced thread options
Hello,
would you be please able to give me an authoritative answer whether (and
then how) Windows Server 2008 (domain member) acting as a file server for
EFS encrypted files can use CONSTRAINED delegation to obtain EFS encryption
certificates for users from an enterprise CA?
Currently, it works for me with UNconstrained delegation (the "trust
computer for delegation to any service"), it normally obtaines kerberos
tickets for several services such as CIFS/dc, ProtectedStorage/dc, LDAP/dc,
GC/dc and HOST/ca etc.
But when I switch it to the constrained ("trust computer for delegation to
specified services only - kerberos only") and list the services manually,
the file server then is not willing to delegate to CIFS/dc at all and is
using just anonymous connection which is refused with access denied.
This looks like the file server is generally not able/willing to use
constrained delegation for shared files at all (as tested with ASP
FileSystemObject script which also works only with unconstrained
delegation).
ondrej sevecek
MVP, MCM:DS
| 
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map