Re: "Account is trusted for delegation" is not shown

Discussion in 'Windows Server' started by RaYlee, May 6, 2008.

  1. RaYlee

    RaYlee Guest

    My god...I figured out what's happening.

    It should be caused by raising functional level to windows 2003. I found
    that my testing PC at home is using
    windows 2000 functional level. After I raise it to windows 2003, the
    "Account is trusted for delegation"
    disappear from the option list.

    What should I do now?? As those installation guides require to set this
    option, if this disappear,
    where I can proceed?

    Please advice...

    Raymond
     
    RaYlee, May 6, 2008
    #1
    1. Advertisements

  2. Hello RaYlee,

    Depends on the functional level, if you set it from a client with an older
    adminpak on 2000 pro, you can still enable it. On the 2003 ADUC then you
    have an additional tab called DELEGATION on the user properties.

    Or you can enable the DELEGATION tab yourself for the user if needed on 2003
    ADUC:
    http://technet2.microsoft.com/windo...c8e9-4999-9af7-f56b991a4fd41033.mspx?mfr=true

    If you cannot see the Delegation tab, do one or both of the following:
    .. Register a Service Principal Name (SPN) for the user account with the Setspn
    utility in the support tools on your CD. Delegation is only intended to be
    used by service accounts, which should have registered SPNs, as opposed to
    a regular user account which typically does not have SPNs.

    Also see here:
    http://technet2.microsoft.com/windo...7c82-43c0-847b-3a1a81454cfe1033.mspx?mfr=true

    http://technet2.microsoft.com/windo...c8e9-4999-9af7-f56b991a4fd41033.mspx?mfr=true

    Best regards

    Meinolf Weber
     
    Meinolf Weber, May 6, 2008
    #2
    1. Advertisements

  3. RaYlee

    RaYlee Guest

    Hello Meinolf,

    Thanks for your fast response. I really appreciate.

    But I tried it many times in our office's windows 2003 server on setspn
    command, but always failed
    to add one SPN.

    Is the command executed on the 2003 server?

    Do you have any experience on running this command?

    Thanks,
    Raymond
     
    RaYlee, May 6, 2008
    #3
  4. Hello RaYlee,

    Did you install the support tools to run setspn?
    Then run in a command window:

    setspn -a SPN domain.com\username

    Where SPN is the servicename/computername (MESSENGER/SERVERNAME for example)

    setspn -a MESSENGER/SERVERNAME domain.com\username

    This will add the delegation tab to the useraccount you specified.

    Best regards

    Meinolf Weber
     
    Meinolf Weber, May 6, 2008
    #4
  5. RaYlee

    RaYlee Guest

    Thanks a lot, Meinolf.

     
    RaYlee, May 7, 2008
    #5
  6. Hello RaYlee,

    You're welcome.

    Best regards

    Meinolf Weber
     
    Meinolf Weber, May 7, 2008
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.