none
Remove "trusted for delegation" RRS feed

  • Question

  • We have an SharePoint 2013 environment where web front end and application servers are "trusted for delegation (any)" in Active Directory, as well as the the farm service account (used for application pool identity).

    I have been asked to remove unrestricted delegation for security reasons.

    I have a fairly good understanding of SharePoint architecture and understand what trusted for delegation does. But I'm not 100% sure how to solve this.

    In AD, if I change "Trust this computer for delegation to any service" on the computer account, to "Trust this computer for delegation to specified services only", which specified services should I point out? The farm service account?

    Wednesday, September 27, 2017 1:23 PM

Answers

  • If all of that is the case, then you do not need delegation for the account(s).

    Trevor Seward

    Office Servers and Services MVP



    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Thursday, September 28, 2017 2:44 PM
    Moderator

All replies

  • What you're referring to is unconstrained Kerberos delegation and switching to Constrained Kerberos Delegation. Do you have any delegation requirement at all, or are the Web Applications just configured to use Kerberos?

    Trevor Seward

    Office Servers and Services MVP



    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Wednesday, September 27, 2017 3:11 PM
    Moderator
  • Thanks for replying. The web application (default zone) is configured to use Kerberos. AFAIK there are no specific delegation requirement. The guy(s) who set this up is not working here anymore, and there is very little knowledge about this setup. The site is used in production, but there's no real SharePoint admin here so we are a bit in the dark.
    Thursday, September 28, 2017 6:56 AM
  • If all of that is the case, then you do not need delegation for the account(s).

    Trevor Seward

    Office Servers and Services MVP



    Author, Deploying SharePoint 2016

    This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

    Thursday, September 28, 2017 2:44 PM
    Moderator
  • Thank you. We will remove delegation from the accounts and see what happens. :-)
    Friday, September 29, 2017 11:12 AM