Delegation Mode (Depreciated Feature)
The server-side SteelHead obtains the necessary cryptographic information to optimize SMB signed or encrypted MAPI traffic using Delegation mode. You may need Delegation mode when using a legacy version of RiOS and Windows application.
Constrained delegation is commonly used in production environments to allow a trusted service to authenticate and query specific security information on behalf of a user. Microsoft did not design this feature specifically for use with only SteelHeads. For example, you can use constrained delegation in many Sharepoint and SSL VPN architectures to authenticate through a user Windows credentials.
In a SteelHead deployment, delegation mode uses Kerberos authentication between the server-side SteelHead and any configured servers participating in the signed session (the behavior of RiOS v5.5.x and later). NTLM is used between the client machine and server-side SteelHead. Delegation mode in RiOS v6.1 and later supports all clients, including Windows 7.
When you use Delegation mode, a service principal name (SPN) for the delegate user is created using the setspn.exe command-line tool. The Windows Server 2003 SP1 Support Tools product CD includes this tool, or you can download it from the Microsoft Download Center.
The SPN:
must be unique because the domain controller assigns the Kerberos ticket for it.cannot be used by another service.cannot be cifs/<hostname-of-domain-controller> or mapi/<hostname-of-domain-controller>, which are used by the CIFS and MAPI services (for example, c:\> setspn.exe -A cifs/delegate delegate_user).To grant a user access for Delegation mode for the CIFS or MAPI service in Windows
From the Domain Controller, launch the Active Directory Users and Computers tool.
Right-click the username (in this example the username is delegate).
This opens the Properties window.
Select Trust this user for delegation to specified services only.
Select Use any authentication protocol.
Click OK.
Figure 12‑1. Delegate Properties
