Server 2012 administreerimine
Mis asi on on piiratud delegeerimine (Constrained Delegation)?
Constrained delegation võimaldab piirata taustateenuseid, milliste jaoks avalik (esi)teenus küsib juurdepääsuõigust teise kasutaja nimel.
Kerberos constrained delegation on olnud Windows serveri OS osa alates Windows Server 2003. It requires you to configure an allow list of service principal names (SPNs) on user or computer objects in Active Directory (AD). You add the list of SPNs that represent the back-end services to which a front-end service is allowed to request tickets on behalf of the user to the ms-DS-Allowed-To-Delegate-To attribute of the principal under which the application or service on the front-end server runs.
SPN Purpose A service principal name (SPN) is the name by which a Kerberos client uniquely identifies an instance of a service for a given Kerberos target computer. If you install multiple instances of a service on computers throughout a forest, each instance must have its own SPN. A given service instance can have multiple SPNs if there are multiple names that clients might use for authentication. For example, an SPN always includes the name of the host computer on which the service instance is running, so a service instance might register an SPN for each name or alias of its host.