DOC: Windows 2000 Supports Delegations with Kerberos Authentication Service (262291)


The information in this article applies to:

  • Microsoft COM, when used with:
    • the operating system: Microsoft Windows 2000
This article was previously published under Q262291

SUMMARY

In the context-sensitive help of DCOMCNFG.exe, on the Default Properties tab, the drop-down list for Default Impersonation Level states that "The Windows 2000 authentication service does not support Delegate". Microsoft has confirmed that this is a documentation error. Windows 2000 implements the Kerberos v5 authentication protocol, and this authentication service supports delegate level impersonation.

MORE INFORMATION

COM security is based on the security that is provided by Windows NT, Windows 2000, and the underlying remote procedure call (RPC) security mechanisms. COM security relies on authentication and authorization: authentication is the process that verifies a caller's identity, and authorization is the process that determines whether a caller is authorized to perform the requested task.

In the COM security model, servers manage objects, and clients access objects through servers. Through impersonation, servers can attempt to access resources or other servers on the client's behalf. The client can set an impersonation level that determines to what extent the server can act as the client.

On Windows 2000, there are four impersonation levels:
  • Anonymous
  • Identify
  • Impersonate
  • Delegate
Prior to Windows 2000, "identify" and "impersonate" were the only supported impersonation levels. On Windows 2000, "delegate" level impersonation is supported when you use the Kerberos authentication service.

Steps to Reproduce Behavior

  1. Run DCOMCNFG.exe.
  2. On the Default Properties tab, click to highlight the Default Impersonation Level drop-down list.
  3. Press the F1 key. The last line of the context-sensitive help states that "The Windows 2000 authentication service does not support Delegate".

REFERENCES

For more information, click the following article numbers to view the articles in the Microsoft Knowledge Base:

266080 Answers to Frequently Asked Kerberos Questions

176799 INFO: Using DCOM Cnfg (DCOMCNFG.EXE) on Windows NT

252589 Dcomcnfg.exe Utility Improvements, Fixes, Registry Entries and Format of Ports Range Value

166992 Standard Security Practices for Windows NT

Modification Type:MajorLast Reviewed:2/9/2006
Keywords:kbdocfix kbinfo kbnofix KB262291
©2004 Microsoft Corporation. All rights reserved.