Setting up Delegation for Shared Folders

avoigt31

Hi,

has anyone tried to set up the Kerberos delegation to access shared folders in a 3-Tier environment? When i try to access a shared folder on another server than the service tier, only the ANONYMOUS account is contacting the service "lanmanserver". I tried to change the service account of the system service "Server" (lanmanserver), but is doesn't start after the change. This service seems to run under the local system account only.

alexpeck

You need to set up NAV to delegate to the cifs service on the target machine to support this. Coincidentally, the docs for setting up delegation have recently been updated on MSDN: http://msdn.microsoft.com/en-us/library/dd568720.aspx.

When the service tier performs file operations it impersonates the user logged into the Role Tailored Client. As soon as the service tier performs a file system operation on another machine (even if it is the client machine which originated the action), a second impersonation of the client is required (this is commonly known as a double hop).

So, even if you only have a two tier installation (SQL & NAV service on one machine, client on another) delegation is required for "off box" file system operations.

Alex