From: Ellen K. 

OK, delegation is what I meant and Hrvoje's message doesn't change anything.

On Mon, 12 Sep 2005 19:32:29 +1000, John Beckett
 wrote in message
:

>Ellen K.  wrote in message
>news::
>> Is this different from Delegation?  If so, how?
>
>This is a really heavy topic. The brief answer is no.
>
>If a domain user at a workstation accesses a share on a server, the
>workstation sends the user's credentials to the server. In principle, the
>server asks a domain controller to authenticate the user (in practice,
>using Kerberos, the client sends the server all it needs). This is a
>transitive network logon.
>
>Probably in the context that you are wondering about, a domain user at a
>workstation runs a client app that sends a request to server1. To fulfill
>the request, server1 asks server2 to do something (e.g. a database
>transaction). Server1 uses the user's credentials when sending the request
>to server2, so the transaction is executed with the privilege of the user,
>not the privilege of server1 or server2. That process is known as
>delegation of authentication. The client authorises server1 to represent
>the client. A domain admin has to specify that server1 is trusted to
>perform delegation (i.e. the software running on server1 is known to be
>good, and won't misuse its ability to authenticate as users).
>
>John

--- BBBS/NT v4.01 Flag-5