The Life of Brian

Active Directory, Group Policies, Server Core and the Life of Brian

Email Notifications

Blog Search Form

Go

Recent Posts

Tags

Disclaimer

  • This blog is provided "AS IS" with no warranties, and confers no rights. This blog contains my own views and does not necessarily reflect the view of my employer.
    Locations of visitors to this page
    Add to Technorati Favorites

Sites I Visit

Archives

How to Delegate the Right to Delegate Kerberos Constrained Delegation

Wow, that is a lot of delegating…seriously how many times can you say it in one sentence.  Today’s post is one that threw me for a loop.  As a domain admin I have the right to configure constrained Kerberos delegation.  There may come a time when you want to delegate that out to a user or group. 

My first thought was to assign the user/group Full Control on the OU that included the accounts.  At this point I would run the following command

setspn -a http/workstation01 adminprep\brian

Surely Full Control would grant me the permission to do this…Failed!!!  Insufficient access rights.  It is not a “permission” that is needed, it is a “User Right”.  So where do you go to assign rights to work with constrained delegation and what User Right is it?  Well, you won’t find it in the Local Security Policy.

The User Right that you need to grant is SeEnableDelegationPrivilege. Now where and how do I grant this User Right.  Well it turns out you still should delegate Full Control to the user/group that you want to grant this User Right too.  Then on a DC you must run the following command:

ntrights -u adminprep\brian +r SeEnableDelegationPrivilege

Just make sure to modify that domain/user to match your environment.  Now when I run the Setspn command it works because that account has the correct User Right.  You may have to wait for replication to occur if you are in a distributed environment.

Posted: Thu, Jul 15 2010 8:50 by BrianM | with 3 comment(s)
Filed under: , , , , ,

Comments

Biju said:

just wondering

what if only grant read/write service principal name and modify "msDS-AllowedToDelegateTo" attributes on user/computer objects instead of full control

I m bit reluctant to grant full control :)

# July 16, 2010 2:57 AM

BrianM said:

Oddly enough that didn't work for me.  That is the 1st thing I tried as I didn't want to grant FC either.  

# July 16, 2010 9:19 AM

Thomas Vuylsteke said:

I think you can achieve the same by just setting this in the default domain controller policy (or preferable in your custom default dc policy).

The setting: Enable computer and user accounts to be trusted for delegation (by default BUILTIN\administrators have this right), you could add your group/user

Besides this right, all you need is "WP on the computer/user object to modify msDS-AllowedToDelegateTo attribute". The whitepapers don't discuss it,but besides the msDS-AllowedToDelegateTo, you might also require permissions to alter the "userAccountControl" attribute. Depending on the type of delegation (Kerberos Only/any authN protocol)

The permissions and required rights are explained in detail in the delegation whitepapers: www.microsoft.com/.../details.aspx and www.microsoft.com/.../details.aspx

# July 23, 2010 10:21 AM