8

All my nerdly life, I've dealt with this limitation of Windows Domains

  1. Login - console
  2. Integrated auth to something (usually web app)
  3. My credentials can't move to another server (e.g. database or file system). They have to trust machine 2.

Is there a configuration that changes this behavior? In many many cases, 3 hops would be amazingly convenient.

What is the specific reason that credentials should not delegate twice (client->server->server)?

Precipitous
  • 319
  • 3
  • 9

2 Answers2

8

Absolutely - this is Kerberos delegation, and it's extremely powerful.

You need to read a couple of TechNet articles first:

And then read Ken Schaefer's fanstastic blog posts on Kerberos:

But basically, once your SPN's are setup and you know Kerberos is working, you go to the Computer Object in the Active Directory and select the "Trust this computer for delegation" radio button on the Delegation tab.

From: Ask the Directory Services Team
(source: s-msft.com)

Ken's article on simple delegation should cover everything you need.

BTW: You were so close to the right search: "Double Hop Authentication" would lead you right to this article from the Ask the Directory Services Team blog: Understanding Kerberos Double Hop

Glorfindel
  • 1,213
  • 3
  • 15
  • 22
Christopher_G_Lewis
  • 3,647
  • 21
  • 27
  • Fantastic - thanks! I suspect the reason I haven't commonly seen this solved is that the code guys don't talk to the sysadmin guys -- and most apps just work around double hops. – Precipitous Jun 01 '09 at 06:17
1

While I don't know the answer for Windows (being a Linux/UNIX person), what you need to ensure under the hood is that you request a forwardable ticket.