Delegating access to PolyAnalyst service

When impersonation mode is on, the server operates under the account of the user, who logged in on the client’s computer. In fact, impersonation allows temporary access to log in on the server computer with a few limitations. One of such limitations includes access to other computers.

For example, when you try to access a network share folder, located on a third computer, using an impersonated user account, the access will be performed under an anonymous user. Such access is called delegation.

If delegation is required, you must expressly allow it by registering the principal name of this service on the domain controller. To do this, use the Setspn utility.

Configuring impersonation

To configure impersonation access, you need to have the rights of the administrator.

  1. Launch Windows command line with the administrator’s rights on the domain controller.

  2. Execute the following command:

    setspn -S PAserviceName/computerName userName

    where userName is the account name, for which PolyAnalyst service operates. If the PolyAnalyst service operates under SYSTEM name, use computerName instead of userName.

  3. After the above-mentioned command is executed, the Active Directory service of the given user will have the Delegation tab.

  4. You need to allow delegation for PolyAnalyst Service in this tab. If the list of services is empty, press Add. A dialog window appears, where you need to press User and Computers button and enter the userName.

  5. Press Check names.

  6. Press OK. The dialog window will close, and the list will now include the service, registered with the Setspn utility. Add this service.

  7. Make sure that users, for which the delegation is allowed, have the delegation permission: ensure that the Account is sensitive and cannot be delegated option is NOT checked.

Troubleshooting

In case you come accross such errors as AcceptSecurityContext failed. System error is 'Insufficient system resources exist to complete the requested service.' or InitializeSecurityContext failed. System error is *'Logon failure: The target account name is incorrect., you may have registered the service for the wrong user. In this case delete the registered SPN and perform the correct registration.