In addition to configuring delegation rights on the SEG server, the service account attached to the SEG Application Pool must also be given delegation permissions.

Verify the Identity of the SEG

  1. Launch Internet Information Services (IIS) Manager by selecting Start > Run. In the dialog box type “inetmgr” and select OK. The IIS Manager window appears.
  2. In the left-hand Connections pane, select the SEG server.
  3. Click the Application Pools folder.
  4. In the right-hand Application Pools pane, locate the SecureEmailGateway.
  5. Under the Identity column, verify the identity of the SecureEmailGateway is Network Service.

    Certs_SEG_AD_EAS_20

Configure Local Security Policy for SEG to Act as Part of the Operating System

  1. On the SEG server, open a command prompt by selecting Start > Run.
  2. Type cmd and then select OK.
  3. In the command prompt, type secpol.msc and then select OK. A Local Security Policy window displays.
  4. In the left-hand pane, select Security Settings > Local Policies > User Rights Assignments.
  5. In the right-hand pane, under Policy, select Act as part of the operating system. A dialog window appears.

  6. Click Add User or Group.

  7. Type the name of the Service Account attached to the Application Pool. The name must be the same as the name associated to the SEG (i.e., Network Service).

  8. Click OK. The Local Security Policy window displays.

Configure Local Security Policy for SEG to Impersonate a Client after Authentication

  1. In the right-hand pane, under Policy, double-click on Impersonate a client after authentication.

    Certs_SEG_AD_EAS_24

  2. The Service Account attached to the Application Pool must be the same as the name associated to the SEG (i.e., Network Service). Verify that name displays in the list. If not, do the following:
    1. Click Add User or Group.
    2. Add the name of the Service Account.
  3. Select the Service Account in the list (i.e., Network Service).
  4. Click OK.