When the Delegation tab is missing in Windows 2003 Active Directory Users and Computers

So you’ve been investigating Kerberos, and you’ve done the command ’setspn.exe’ setup (part of the Windows 2003 support tools install) of your Security Principle Names for your domain controller… but when you try to assign a user account some delegation rights… the damn delegation tab is missing!

The first thing to do is to check that your domain controller is operating in Windows 2003 mode. By default you’ll find your system will operate in the Windows 2000 compatible mode.

To do this, look at the screenshot below, you’ll need to go to active directory users and computers, right click on your domain, and click ‘Raise Domain Functional Level’

image001

This will give you something like this:

image002

This dialog box tells me that my domain controller is operating in the correct mode for the Delegation tab to be displayed in the active directory settings. If your server is running in Windows 2000 compatible mode, you’ll be given the option to raise it’s functional level - you should do this if you want the delegation tab to appear! I’m guessing, as I’ve never tried it out, that if you want the server to be a domain controller with Windows 2000 and lower machines it wont work when you change this setting, so beware, as once you’ve done it… there’s no going back!

And there you have it… my server now has a delegation tab:

image003

I hope this helps you out, as when I googled for this issue, I found nothing… please add any links to more descriptive discussion of this issue you you know of any.

enjoy

SpittingCAML




You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

5 Responses to “When the Delegation tab is missing in Windows 2003 Active Directory Users and Computers”

  1. Charles Says:

    Hi,
    In order to display the delegation tab for the user account, I had to add an spn for that user account. The delegation tab did show up for the computer once the domain functional level was raised, however not for user accounts.
    Use the following command to just add a spn for the user account:
    setspn -a http/

    Cheers

  2. Chad Says:

    Thanks, Charles. Your comment and solution were spot on. Not too many sites seem to know this.

  3. Chello Says:

    Thanks for sharing.

  4. Fredro Says:

    THANK YOU SOOOO MUCH!!!! This helped a ton for our sharepoint implementation.

  5. Lawrence Says:

    Thanks bud, I wasted hours trying to add a SPN using the command prompt until I found this post that made me realise why the delegation tab was missing.

Leave a Reply