Setup was unable to verify that the trust for delegation

I didn't have the media handy to double check. So along as the machine is domain joined all should still work as per my last post. If anyone is coming here from google, I got this error but it wasn't a permissions issue. The computer's object in AD had the "prevent from accidental deletion" box checked and gave this bit about delegation by accident during dcpromo. The real fix is to uncheck that. Once the object is moved to the Domain Controller's OU, you can turn it back on.

Thanks Mike, this was killing me and the protection from accidental deletion ended up being the culprit. To continue this discussion, please ask a new question. Which of the following retains the information it's storing when the system power is turned off? Submit ». Get answers from your peers along with millions of IT pros who visit Spiceworks. The error was: "Access is denied. Best Answer. Finally was able to promote the server to a domain controller as follows!

View this "Best Answer" in the replies below ». Tommylotmanagement May 9, at UTC. Justin This person is a verified professional. Verify your account to enable IT peers to see that you are a professional. Windows Server expert. Privacy policy. If the domain controller policy doesn't exist, evaluate whether that condition is because of simple replication latency, an AD replication failure or whether the policy has been deleted from Active Directory.

Don't manually recreate the policy with the same name and settings as the default. If the default domain controllers policy exists in Active Directory on some domain controllers but not others, evaluate whether that inconsistency is due simple replication latency or a replication failure. Resolve as required. Verify that the user account does the DCPROMO operation has been granted the "Enable computer and user accounts to be trusted for delegation" user right in the default domain controllers policy.

By default, this right is granted to members of the Administrators security group in the target domain. If you are accessing the Web server by using a name other than the actual name of the server, a new Service Principal Name SPN must have been registered by using the Setspn tool from the Windows Server Resource Kit.

Because the Active Directory directory service does not know this service name, the ticket-granting service TGS does not give you a ticket to authenticate the user.

This behavior forces the client to use the next available authentication method, which is NTLM, to renegotiate. If the Web server is responding to a DNS name of www. To do this, you must download the Setspn tool and install it on the server that is running IIS.

If you cannot connect to the server, see the "Verify the computer is trusted for delegation" section. If you can connect to the server, follow these steps to set an SPN for the DNS name that you are using to connect to the server:. Run the following command to add this new SPN www.

Setspn -L webservername Note that you do not have to register all services. This mapping applies only if the Web service is running under the local System account. If this server running IIS is a member of the domain but is not a domain controller, the computer must be trusted for delegation for Kerberos to work correctly. To do this, follow these steps:.

On the domain controller, click Start , point to Settings , and then click Control Panel. In the list, locate the server running IIS, right-click the server name, and then click Properties. Click the General tab, click to select the Trusted for delegation check box, and then click OK. Note that if multiple Web sites are reached by the same URL but on different ports, delegation will not work.

To make this work, you must use different hostnames and different SPNs. Internet Explorer doesn't add the port or the vdir to the SPN request. Each SPN can be declared only for one identity. For more information about the configuration for delegating credentials when you use an ASP.

NET application, click the following article number to view the article in the Microsoft Knowledge Base:. NET application for a delegation scenario Impersonation and delegation are two methods for a server to authenticate on the behalf of the client. Deciding which of these methods to use and their implementation can cause some confusion. You must review the difference between these two methods and examine which of these methods you may want use for your application.

My recommendation would be to read the following white paper for further details:. IIS Developer Support Voice column Kerberos authentication and troubleshooting delegation issues To customize this column to your needs, we want to invite you to submit your ideas about topics that interest you and issues that you want to see addressed in future Knowledge Base articles and Support Voice columns.

IIS 6.