Configuring constrained delegated authentication for CCS
Configuration of Constrained delegation requires a Service Principal Name (SPN) for the Symantec CCS ADLDS instance which is created during the installation of the Directory Server. Ensure that the Constrained delegation is configured after installation of the Directory Server.
You need to configure constrained delegation only if your deployment contains a standalone installation of the Directory Server.
- To configure a service account for constrained delegation
- Open the properties for the Application Server’s service account and make the following changes on theDelegationtab:
- SelectTrust this user for delegation to specified services only. By default the user is set toDo not trust this user for delegation.
- SelectUse any authentication protocol.
- Under Services to which this account can provide delegated credentials do the following:
- ClickAddand type in the name of the computer where DSS is installed. From the list of services, select the service, LDAP that has the same port number as the port where the ADAM instance is running and clickOK.
- ClickAddand type the name of the service account for which the DSS service is running. You can view the custom SPN that was created for the DSS before installation. Select the service and clickOK.
- ClickExpandto verify that both the short names and long names are present.
- On the Application Server computer, open the Local Security Policy editor.Navigate toUnder Local Policies > User Rights Assignmentand grant the privilege,Act as part of the operating systemto the Application Server.If you use the constrained delegation and choose not to store passwords with CCS, then you need to give the service user theAct as part of the operating systemprivilege. This privilege is required by S4U to impersonate an account. If you choose to store the password with CCS, then this privilege is not required.
- After the product is installed, configure delegation for the Application Server in the following manner:
- In the CCS Console, go toSettings > System Topology > Map Viewor go toSettings > System Topology > Grid View.
- Select the Application Server component, and right-click onEdit Settings.
- In theEdit Settingsdialog box, select theApplication Server > Basicoption in the left pane.
- For theAuthentication typeoption, selectUse controlled delegation of security rightsin the right pane.
- ClickSave.
- Restart the DSS and the Application Server computer so that the delegation settings can take effect.