MyWorkDrive Support

How can we help you today?

Delegation Setup for ADFS/SAML, File and DFS Servers in Active Directory

You are here:
< Back

This article describes the Delegation Setup steps for ADFS/SAML to function properly with any back-end File and DFS Servers in Active Directory.  The complete ADFS setup article is located here.

When shares are located on a different server from the MyWorkDrive Server (MWD), will be reached through DFS or users will be authenticated using ADFS, to properly pass user tokens to back end file shares it is required that the MyWorkDrive Server trust any ADFS, File and DFS Servers for delegation.

Configure Active Directory Delegation on the MyWorkDrive Server computer object to add any File Servers, DFS Servers and ADFS servers in your organization.

– From a Domain Controller – Server Manager – Tools – Active Directory Users and Computers – Computers – {select computer where MWD is installed} – Properties
– Delegation – Trust this computer for delegation to specified services only – Use any authentication protocol – Add – Users or Computers – {select computer(s) that contains required network shares and computer(s) with DFS role installed} – OK
– Available services – select cifs – OK

We strongly recommend you DO NOT SELECT the option which says “Trust this computer for delegation to any servers (Kerberos only).”
We strongly advocate you take a Least Privileged Access approach by specifying the servers and services as described above.  You can read more about securing your active directory and delgation risks on Petri.com and ADSecurity.org

Example of configuration to allow MWD to trust delegation through File-Server1 and DFS-Server1:
–    MWD installed on computer MYWORKDRIVE-SERVER1
–    Network File Share Server: FILE-SERVER1
–    DFS Server: DFS-SERVER1

For customers who are hosting their Active Directory in Azure AD Domain Services (this is not the same as Azure AD), delegation must be enabled using resource based constrained delegation in powershell.   Some customers in high security environments may also require resource based constrained delegation.  Powershell Configuration Steps for Server 2012 domains or higher are located in Microsoft’s article on how to enable Kerberos constrained delegation (KCD) on a managed domain and How to configure computer delegation with powershell.    An example MyWorkDrive Server command for a File Server and MyWorkDrive server is as follows:

Set-ADComputer MYWORKDRIVE-SERVER -PrincipalsAllowedToDelegateToAccount (Get-ADComputer FILESERVER)

To check delegation run the following powershell command:

Get-ADComputer MYWORKDRIVE-SERVER -Properties * | Format-List -Property *delegat*,msDS-AllowedToActOnBehalfOfOtherIdentity