2001 Windows 10 Enterprise Breaks Delegation - microsoft/CSS_SQL_Networking_Tools GitHub Wiki
2001 Windows 10 Enterprise Breaks Delegation
Symptom
Windows 10 users complain they can no longer use linked servers or web sites that delegate credentials to SQL Server.
Windows 7 and 8 users are okay.
Cause
Windows 10 Enterprise Edition has a feature called Credential Guard. This feature prevents the user credentials from being used in full delegation scenarios; constrained delegation must be used instead.
More information
If the client is Windows 10 Enterprise Edition and the Credential Guard feature is turned on, then you will not be able to use full delegation (Trust this user for delegation to any service). You can only use constrained delegation. One common symptom is that Windows 7/8 users can delegate, but Windows 10 users cannot.
In Windows 10 Enterprise there is a new feature called Credential Guard: (https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard)
As per documentation (https://docs.microsoft.com/en-us290775/windows/access-protection/credential-guard/credential-guard-requirements).
Applications will break if they require:
- Kerberos DES encryption support
- Kerberos unconstrained/full delegation
- Extracting the Kerberos TGT
- NTLMv1
Implications
Any network where you have even one Windows 10 Enterprise user with Credential Guard enabled will have to switch all the servers from full to constrained delegation to constrained delegation.
Executing SSIS packages in SSIDB from a remote system, e.g. a client machine via SQL Server Management Studio, will fail. SSIS's architecture prevents it from being used with constrained delegation. Launching the jobs from (a local) SQL Agent should be fine as long as the back-end databases do not themselves use Linked Servers.