Microsoft Office Tutorials and References
In Depth Information
Security
Browser
Client machine:
User is logged in.
WFE
Server machine:
User request is sent with
the user’s credentials. The
credentials will be delegated
within the same machine.
ECS
Database
Figure 5-8
Kerberos-Constrained Delegation
You can use Kerberos-constrained delegation with Windows Server 2003 Active Directory to allow multiple
hops. When enabling the delegation, the network administrator defines a level of trust between two
services on different machines. One service (in this case, a database) trusts another service (in this case,
an Excel Calculation Service instance) to correctly pass the correct end-user credentials.
The main advantage of this configuration is that the correct end-user credentials are passed to the
database. The disadvantages are as follows:
It requires the central IT of the organization to set up the delegation in the Active Directory.
It usually limits the trust to cases in which both the database and the Excel Services
deployment are owned by the same group (usually the central IT). An organization’s central IT
department usually does not trust a small departmental Excel Services deployment to
delegate its credentials to a central database, because it has no control over the security of this
type of deployment.
The performance optimizations described previously in the “One-Machine Topology” section
will not work.
To set up Kerberos-constrained delegation, contact your central IT organization. The trust will need to
be set up between the ECS and each of the databases to which you want to connect using this type of
Search JabSto ::




Custom Search