remote EFS file share and constrained delegation

Discussion in 'Server Security' started by Ondrej Sevecek, May 27, 2009.

  1. hello,

    I have 4 computers. Say XP1 (client), DC1 (domain controller), FS1 (file
    server) and CA1 (certificate authority). I need to enable XP1 users (domain
    accounts) to access EFS encrypted files on FS1. This requires a delegation
    to be configured for FS1 (they will be generating new keys).

    This works for me if I configure it for just UNconstrained delegation. But
    what exactly should I configure in this scenario to work with constrained

    Currently, I have the following constrained delegation configured for FS1,
    but it is not sufficient to enable the users/FS1 to obtain new certificates
    from CA1:
    fs1: can delegate to CIFS/DC1
    fs1: can delegate to LDAP/DC1
    fs1: can delegate to ProtectedStorage/DC1
    fs1: can delegate to GC/DC1
    fs1: can dleegate to RPCSS/CA1
    fs1: can delegate to HOST/CA1

    so which servrivce in addition should I enable to be delegated to?

    Ondrej Sevecek, May 27, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.