-
Titolo
Why does the Active Administrator server object have the Trust this computer for delegation to any service (Kerberos only) option set? -
Descrizione
The AA Server computer object in AD has the following option set:
"Trust this computer for delegation to any service (Kerberos only)"
Is this by design if and so, why is the option set?
-
Risoluzione
The delegation option is set so that AA can support anytime a double hop authentication occurs (an account authenticated to a workstation requests data from a server and then using that same account request data from another machine). For example, a user logs into the AA console from a workstation which requests data from the AA server and then they perform an action that causes the AA server to request data from the DC using the same user credentials.
Without this option set, the double hop authentication would fail causing the action being performed in the console to fail.
However, if double hop authentication is not required, then you should not have issues if you change setting to "Do not trust this computer for delegation" option in AD, but keep in mind that if you launch and use the Active Administrator Console to access a remote Active Administrator Server from another machine, then this is a scenario that would be impacted if the delegation setting is disabled.
If you disalbe delegation setting, then as long as you set the trust to cover all three Active Administrator services on the host machine (ADS, AFS, and Web services) and any installed services on the host or other machines (workstation logon agents, AD Health Agents, Audit Agents), then Active Administrator theoretically should be ok, but please note that this is not a tested scenario and you would have to implement and test.