- Microsoft® Windows Server™ 2003 Inside Out
- SPECIAL OFFER: Upgrade this ebook with O’Reilly
- A Note Regarding Supplemental Files
- Acknowledgments
- We'd Like to Hear from You!
- About the CD
- Conventions and Features Used in this Book
- About the Author
- 1. Windows Server 2003 Overview and Planning
- 1. Introducing Windows Server 2003
- What's New in Windows Server 2003
- 64-Bit Computing
- .NET Technologies
- Windows XP and Windows Server 2003
- Windows XP Editions
- Increased Support for Standards
- Interface and Tool Improvements
- Active Directory Improvements
- Domains Can Be Renamed
- Active Directory Can Replicate Selectively
- Active Directory–Integrated DNS Zones Can Forward Conditionally
- Active Directory Schema Objects Can Be Deleted
- Active Directory and Global Catalog Are Optimized
- Active Directory Can Compress and Route Selectively
- Forest-to-Forest Trusts
- Active Directory Migration Made Easier
- Group Policy Improvements
- Management and Administration Extras
- Security Advances
- Reliability and Maintenance Enhancements
- 2. Planning for Windows Server 2003
- Overview of Planning
- Identifying Your Organizational Teams
- Assessing Project Goals
- Analyzing the Existing Network
- Defining Objectives and Scope
- Defining the New Network Environment
- Selecting a Software Licensing Program
- Final Considerations for Planning and Deployment
- 1. Introducing Windows Server 2003
- 2. Windows Server 2003 Installation
- 3. Preparing for the Installation and Getting Started
- 4. Managing Interactive Installations
- 5. Managing Unattended Installations
- 6. Using Remote Installation Services
- Introduction to RIS
- Installing RIS
- Configuring RIS Clients
- Preparing RIS-Based Installations
- Using RIS for Automated Installations
- Working with Sysprep
- 3. Windows Server 2003 Upgrades and Migrations
- 7. Preparing for Upgrades and Migration
- 8. Upgrading to Windows Server 2003
- General Considerations for Upgrades
- Upgrading from Windows 2000
- Upgrading from Windows NT 4
- 9. Migrating to Windows Server 2003
- Selecting the Migration Tools
- ADMT
- General Considerations for Migrations
- Determining the Approach to Migration
- Preparing for Migration
- Migrating Security Principals
- Performing the Migration: An Overview
- Migrating Group Accounts
- Migrating User Accounts
- Migrating Passwords
- Migrating the Computers
- Merging Groups during Migration
- Migrating Domain Trusts
- Migrating Service Accounts
- Security Translation
- Generating Migration Reports
- 4. Managing Windows Server 2003 Systems
- 10. Configuring Windows Server 2003
- 11. Windows Server 2003 MMC Administration
- 12. Managing Windows Server 2003
- Using the Administration Tools
- Using the Control Panel Utilities
- Using the Add Hardware Utility
- Using the Add or Remove Programs Utility
- Using the Date and Time Utility
- Using the Display Utility
- Using the Folder Options Utility
- Using the Licensing Utility
- Using the Network Connections Utility
- Using the Regional and Language Options Utility
- Using the Scheduled Tasks Utility
- Using the System Utility
- Using Support Tools
- Using Resource Kit Tools
- Using the Secondary Logon
- 13. Managing and Troubleshooting Hardware
- 14. Managing the Registry
- 15. Performance Monitoring and Tuning
- 16. Comprehensive Performance Analysis and Logging
- 5. Managing Windows Server 2003 Storage and File Systems
- 17. Planning for High Availability
- 18. Preparing and Deploying Server Clusters
- 19. Storage Management
- Essential Storage Technologies
- Configuring Storage
- Managing MBR Disk Partitions on Basic Disks
- Managing GPT Disk Partitions on Basic Disks
- Managing Volumes on Dynamic Disks
- Creating a Simple or Spanned Volume
- Extending a Simple or Spanned Volume
- Recovering a Failed Simple or Spanned Disk
- Moving Dynamic Disks
- Configuring RAID 1: Disk Mirroring
- Mirroring Boot and System Volumes
- Configuring RAID 5: Disk Striping with Parity
- Breaking or Removing a Mirrored Set
- Resolving Problems with Mirrored Sets
- Repairing a Mirrored System Volume to Enable Boot
- Resolving Problems with RAID-5 Sets
- 20. Managing Windows Server 2003 File Systems
- 21. File Sharing and Security
- File Sharing Essentials
- Creating and Publishing Shared Folders
- Managing Share Permissions
- Managing File and Folder Permissions
- Managing File Shares After Configuration
- Sharing Files on the Web
- Auditing File and Folder Access
- 22. Using Volume Shadow Copy
- 23. Using Removable Media
- Introducing Removable Media
- Managing Media Libraries and Media
- Inserting Media into a Library
- Ejecting Media from a Library
- Mounting and Dismounting Media in Libraries
- Enabling and Disabling Media
- Enabling and Disabling Drives
- Cleaning Drives
- Working with Library Doors and Ports
- Configuring Library Inventory
- Starting Library Inventory
- Changing Library Media Types
- Enabling and Disabling Libraries
- Managing Media Pools
- Managing Work Queues, Requests, and Security
- Using the Work Queue
- Troubleshooting Waiting Operations
- Changing Mount Operations
- Controlling When Operations Are Deleted
- Using the Operator Requests Queue
- Notifying Operators of Requests
- Completing or Refusing Requests
- Controlling When Requests Are Deleted
- Setting Access Permissions for Removable Storage
- 6. Managing Windows Server 2003 Networking and Print Services
- 24. Managing TCP/IP Networking
- Understanding IP Addressing
- Special IP Addressing Rules
- Using Subnets and Subnet Masks
- Getting and Using IP Addresses
- Understanding Name Resolution
- Configuring TCP/IP Networking
- 25. Managing DHCP
- DHCP Essentials
- DHCP Security Considerations
- Planning DHCP Implementations
- Setting Up DHCP Servers
- Configuring TCP/IP Options
- Levels of Options and Their Uses
- Options Used by Windows Clients
- Using Userand Vendor-Specific TCP/IP Options
- Settings Options for All Clients
- Settings Options for Routing and Remote Access Clients Only
- Setting Add-On Options for Directly Connected Clients
- Defining Classes to Get Different Option Sets
- Advanced DHCP Configuration and Maintenance
- Setting Up DHCP Relay Agents
- 26. Architecting DNS Infrastructure
- 27. Implementing and Managing DNS
- 28. Implementing and Maintaining WINS
- 29. Installing and Maintaining Print Services
- Understanding Windows Server 2003 Print Services
- Print Services Changes for Windows Server 2003
- Upgrading Windows NT 4 Print Servers to Windows Server 2003
- Migrating Print Servers from One System to Another
- Planning for Printer Deployments and Consolidation
- Setting Up Printers
- Managing Printer Permissions
- Managing Print Server Properties
- Managing Printer Properties
- Setting General Properties, Printing Preferences, and Document Defaults
- Setting Overlays and Watermarks for Documents
- Installing and Updating Print Drivers on Clients
- Configuring Printer Sharing and Publishing
- Optimizing Printing Through Queues and Pooling
- Configuring Print Spooling
- Viewing the Print Processor and Default Data Type
- Configuring Separator Pages
- Configuring Color Profiles
- Managing Print Jobs
- Printer Maintenance and Troubleshooting
- 30. Using Remote Desktop for Administration
- 31. Deploying Terminal Services
- Using Terminal Services
- Designing the Terminal Services Infrastructure
- Setting Up Terminal Services
- Using the Terminal Services Configuration Tool
- Using the Terminal Services Manager
- Managing Terminal Services from the Command Line
- Other Useful Terminal Services Commands
- Configuring Terminal Services Per-User Settings
- 24. Managing TCP/IP Networking
- 7. Managing Active Directory and Security
- 32. Active Directory Architecture
- 33. Designing and Managing the Domain Environment
- Design Considerations for Active Directory Replication
- Design Considerations for Active Directory Search and Global Catalogs
- Design Considerations for Compatibility
- Design Considerations for Active Directory Authentication and Trusts
- Universal Groups and Authentication
- NTLM and Kerberos Authentication
- Authentication and Trusts Across Domain Boundaries
- Authentication and Trusts Across Forest Boundaries
- Examining Domain and Forest Trusts
- Establishing External, Shortcut, Realm, and Cross-Forest Trusts
- Verifying and Troubleshooting Trusts
- Delegating Authentication
- Design Considerations for Active Directory Operations Masters
- Operations Master Roles
- Using, Locating, and Transferring the Schema Master Role
- Using, Locating, and Transferring the Domain Naming Master Role
- Using, Locating, and Transferring the Relative ID Master Role
- Using, Locating, and Transferring the PDC Emulator Role
- Using, Locating, and Transferring the Infrastructure Master Role
- 34. Organizing Active Directory
- 35. Configuring Active Directory Sites and Replication
- 36. Implementing Active Directory
- Preinstallation Considerations for Active Directory
- Installing Active Directory
- Uninstalling Active Directory
- Creating and Managing Organizational Units (OUs)
- Delegating Administration of Domains and OUs
- 37. Managing Users, Groups, and Computers
- Managing Domain User Accounts
- Managing User Profiles
- Managing User Data
- Maintaining User Accounts
- Managing Groups
- Managing Computer Accounts
- 38. Managing Group Policy
- Understanding Group Policy
- Implementing Group Policy
- Working with Local Group Policy
- Working with the Group Policy Object Editor
- Working with the Group Policy Management Console
- Installing and Running the Group Policy Management Console
- Using the Group Policy Management Console
- Accessing Forests, Domains, and Sites in Group Policy Management Console
- Creating and Linking a New GPO in Group Policy Management Console
- Editing an Existing GPO in the Group Policy Management Console
- Linking to an Existing GPO in the Group Policy Management Console
- Deleting an Existing GPO in the Group Policy Management Console
- Managing Group Policy Inheritance and Processing
- Using Scripts in Group Policy
- Applying Group Policy Through Security Templates
- Maintaining and Troubleshooting Group Policy
- 39. Active Directory Site Administration
- 8. Windows Server 2003 Disaster Planning and Recovery
- Index to Troubleshooting Topics
- Index
- SPECIAL OFFER: Upgrade this ebook with O’Reilly
The delegation of authentication is often a requirement when a network service is distributed across several servers, such as when the organization uses Web-based application services with front-end and back-end servers. In this environment, a client connects to the front-end servers and the user's credentials may need to be passed to back-end servers to ensure that the user only gets access to information to which she has been granted access.
In Windows 2000, this functionality is provided using Kerberos authentication, either using proxy tickets or using forwarded tickets:
With proxy tickets, the client sends a session ticket request to a domain controller acting as a KDC, asking for access to the back-end server. The KDC grants the session ticket request and sends the client a session ticket with a PROXIABLE flag set. The client can then send this ticket to the front-end server, and the front-end server in turn uses this ticket to access information on the back-end server. In this configuration, the client needs to know the name of the backend server, which in some cases is problematic, particularly if you need to maintain strict security for the back-end databases and don't want their integrity to be compromised.
With forwarding tickets, the clients sends an initial authorization request to the KDC, requesting a session ticket that the front-end server will be able to use to access the back-end servers. The KDC grants the session ticket request, and sends it to the client. The client can then send the ticket to the front-end server, which then uses the session ticket to make a network resource request on behalf of the client. The front-end server then gets a session ticket to access the back-end server using the client's credentials.
Note
In the Windows 2000 model, the front-end server is not constrained in terms of the network resources it can request on the client's behalf. That means the front-end server could try to access any network resource using the client's credentials.
While both techniques are effective, the requirement to use Kerberos in Windows 2000 limits the types of clients that can be used. In this scenario, only clients running Windows 2000 or later can be used. With Windows Server 2003, you can use both NTLM and Kerberos for authentication, which allows clients running Microsoft Windows 95, Windows 98, and Windows NT to be used, as well as clients running Windows 2000 or later. In addition, with Windows Server 2003, you can use constrained delegation. Constrained delegation allows you to configure accounts so that they are delegated only for specific purposes. This kind of delegation is based on service principal names. Thus, unlike Windows 2000, in which the front-end server can access any network service on the client's behalf, in Windows Server 2003, a front-end server can only access network resources for which delegation has been granted.
To use delegated authentication, the user account, as well as the service or computer account acting on the user's behalf, must be configured to support delegated authentication.
For the user account, you must ensure that the account option Account Is Sensitive And Cannot Be Delegated is not selected, which by default it isn't. If you want to check this option, use Active Directory Users And Computers, as shown in the following screen. Double-click the user's account entry in Active Directory Users And Computers, and then select the Account tab. You'll find the Account Is Sensitive And Cannot Be Delegated option under Account Options. Scroll through the list until you find it.
For the service acting on the user's behalf, you must first determine if the service is running under a normal user account or under a special identity, such as LocalSystem. If the service runs under a normal user account, check the account in Active Directory Users And Computers and ensure that the Account Is Sensitive And Cannot Be Delegated option is not selected. If the service runs under a special identity, you need to configure delegation for the computer account of the front-end server.
When the domain is operating in Windows 2000 Mixed or Windows 2000 Native functional level, you have limited options for configuring a computer for delegation. In Active Directory Users and Computers, double-click the computer account. On the General tab, select the Trust This Computer For Delegation option to allow delegation. This option sets the Windows 2000 level of authentication, which allows the service to make requests for any network resources on the client's behalf.
In Active Directory Users And Computers, double-click the computer account to display its Properties dialog box, and then select the Delegation tab, as shown in the following screen:
When the domain is operating in Windows Server 2003 functional level, you have the following options for configuring a computer for delegation:
Do Not Trust This Computer For Delegation Select this option if you don't want the computer to be trusted for delegation.
Trust This Computer For Delegation To Any Service (Kerberos Only) Select this option to use the Windows 2000 level of authentication, which allows the service to make requests for any network resources on the client's behalf.
Trust This Computer For Delegation To Specified Services Only Select this option to use the Windows Server 2003 level of authentication, which allows the service to make requests only for specified services. You can then specify whether the client must authenticate using Kerberos only or can use any authentication protocol.
When you are using the Windows Server 2003 level of authentication, you must next specify the services to which the front-end server can present a client's delegated credentials. To do this, you need to know the name of the computers running the services and the types of services you are authorizing. Click Add to display the Add Services dialog box shown in the screen on the following page, and then click Users Or Computers to display the Select Users Or Computers dialog box.
In the Select Users Or Computer dialog box, type the name of the computer proving the service, such as CORPSVR02, and then click Check Names. If multiple matches are found, select the name or names you want to use, and then click OK. If no matches are found, you've either entered an incorrect name or you're working with an incorrect location. Modify the name and try again or click Locations to select a new location. To add additional computers, type a semicolon (;), and then repeat this process. When you click OK, the Add Services dialog box is updated with a list of available services on the selected computer or computers, as shown in the following screen:
Use the Add Services dialog box to select the services for which you are authorizing delegated authentication. You can use Shift+click or Ctrl+click to select multiple services. Once you've selected the appropriate services, click OK. The selected services are added to the Services To Which This Account Can Present Delegated Credentials list. Click OK to close the computer's Properties dialog box and save the delegation changes.
-
No Comment