How to Delegate the Right to Delegate Kerberos Constrained Delegation
Wow, that is a lot of delegating…seriously how many times can you say it in one sentence. Today’s post is one that threw me for a loop. As a domain admin I have the right to configure constrained Kerberos delegation. There may come a time when you want to delegate that out to a user or group.
My first thought was to assign the user/group Full Control on the OU that included the accounts. At this point I would run the following command
setspn -a http/workstation01 adminprep\brian
Surely Full Control would grant me the permission to do this…Failed!!! Insufficient access rights. It is not a “permission” that is needed, it is a “User Right”. So where do you go to assign rights to work with constrained delegation and what User Right is it? Well, you won’t find it in the Local Security Policy.
The User Right that you need to grant is SeEnableDelegationPrivilege. Now where and how do I grant this User Right. Well it turns out you still should delegate Full Control to the user/group that you want to grant this User Right too. Then on a DC you must run the following command:
ntrights -u adminprep\brian +r SeEnableDelegationPrivilege
Just make sure to modify that domain/user to match your environment. Now when I run the Setspn command it works because that account has the correct User Right. You may have to wait for replication to occur if you are in a distributed environment.