Configuring unconstrained delegation for CCS

HOWTO75235

Last Updated May 08, 2012

You need to configure unconstrained delegation only if your deployment contains a stand-alone installation of the Directory Server.

To configure a service account with unconstrained delegation

Identify the user accounts that you want to use as the service accounts for DSS and Application Server.

Enable delegation for the Application Server's service account. By default, the user is set to Do not trust this user for delegation.

The following service accounts are to be enabled:

Windows Server 2003 computer	In the user properties, go to the Delegation tab and select the option, Trust this user for delegation to any service (Kerberos only).
Windows Server 2008 computer	In the user properties, go to Accounts tab and check the option, Account is trusted for delegation.

After the product is installed, configure delegation for the Application Server in the following manner:
- In the CCS Console, go to Settings > System Topology > Map View or go to Settings > System Topology > Grid View.
- Select the Application Server component, and right-click on Edit Settings.
- In the Edit Settings dialog box, select the Application Server > Basic option in the left pane.
- For the Authentication type option, select Use controlled delegation of security rights in the right pane.
- Click Save.
Reboot the DSS and the Application Server computer so that the delegation settings can take effect.

Imported Document ID: HOWTO75235

Legacy ID: v63772240_v74603629

Thanks for your feedback. Let us know if you have additional comments below. (requires login)