Allow Kerberos constrained delegation in a cross-domain setup

Allow the system user to do Kerberos constrained delegation in a cross-domain setup.

SPN registered to a service user

Procedure-related prerequisites

  • The previously described configuration steps have been carried out.
  • You need to run the commands with administrative permissions. Open PowerShell via Run as administrator.
  • You need to be logged in as a domain administrator on a domain controller.
  • Run the commands in the Active Directory domain where the Service user is a member of.

Example values

  • System user UPN: srv-airlock-kerberos@int.virtinc.com
  • Service user UPN: srv-webapp@sub.int.virtinc.com

Instruction

  • 1.
    Run the following commands:
copy
# Change these variables according to your environment
$SysUserUPN = "srv-airlock-kerberos@int.virtinc.com"
$SrvUserUPN = "srv-webapp@sub.int.virtinc.com"

 
# Determine the system user's principle
$DomainName     = $SysUserUPN.Remove(0,($SysUserUPN.IndexOf("@")+1))
$DomainDNSRoot  = (Get-ADDomain $DomainName).DNSRoot
$SysUserPrinc   = Get-ADUser -Filter { UserPrincipalName -Like $SysUserUPN } `
                       -Server $DomainDNSRoot


# Allow KCD for the $resource (service user)
$resource = Get-ADUser -Filter { UserPrincipalName -Like $SrvUserUPN } `
              -Properties msDS-AllowedToActOnBehalfOfOtherIdentity
 $resource | Set-ADUser -PrincipalsAllowedToDelegateToAccount $SysUserPrinc
SPN registered to a machine account

Procedure-related prerequisites

  • The previously described configuration steps have been carried out.
  • You need to run the commands with administrative permissions. Open PowerShell via Run as administrator.
  • You need to be logged in as a domain administrator on a domain controller.
  • Run the commands in the Active Directory domain where the Server is a member of.

Example values

  • System user UPN: srv-airlock-kerberos@int.virtinc.com
  • Server (machine account): server1

Instruction

  • 1.
    Run the following commands:
copy
# Change these variables according to your environment
$SysUserUPN = "srv-airlock-kerberos@int.virtinc.com"
$Server     = "server1"

 
# Determine the system user's principle
$DomainName     = $SysUserUPN.Remove(0,($SysUserUPN.IndexOf("@")+1))
$DomainDNSRoot  = (Get-ADDomain $DomainName).DNSRoot
$SysUserPrinc   = Get-ADUser -Filter { UserPrincipalName -Like $SysUserUPN } `
                       -Server $DomainDNSRoot


# Allow KCD for the $resource (server)
$resource = Get-ADComputer -Filter { Name -Like $Server } `
              -Properties msDS-AllowedToActOnBehalfOfOtherIdentity
 $resource | Set-ADComputer -PrincipalsAllowedToDelegateToAccount  $SysUserPrinc