Allow Kerberos constrained delegation in a cross-domain setup

Allow the system user to do Kerberos constrained delegation in a cross-domain setup.

Apply the corresponding section depending on where the SPN has been registered:

SPN registered to a service user if Register SPN for the service user has been proceeded.
SPN registered to a machine account if Register SPN for the machine account has been proceeded.

SPN registered to a service user

Procedure-related prerequisites

The previously described configuration steps have been carried out.

You need to run the commands with administrative permissions. Open PowerShell via Run as administrator.

You need to be logged in as a domain administrator on a domain controller.

Run the commands in the Active Directory domain where the Service user is a member of.

Example values

System user UPN: srv-airlock-kerberos@int.virtinc.com
Service user UPN: srv-webapp@sub.int.virtinc.com

Instruction

Run the following commands:

Terminal box

# Change these variables according to your environment
$SysUserUPN = "srv-airlock-kerberos@int.virtinc.com"
$SrvUserUPN = "srv-webapp@sub.int.virtinc.com"

 
# Determine the system user's principle
$DomainName     = $SysUserUPN.Remove(0,($SysUserUPN.IndexOf("@")+1))
$DomainDNSRoot  = (Get-ADDomain $DomainName).DNSRoot
$SysUserPrinc   = Get-ADUser -Filter { UserPrincipalName -Like $SysUserUPN } `
                       -Server $DomainDNSRoot


# Allow KCD for the $resource (service user)
$resource = Get-ADUser -Filter { UserPrincipalName -Like $SrvUserUPN } `
              -Properties msDS-AllowedToActOnBehalfOfOtherIdentity
 $resource | Set-ADUser -PrincipalsAllowedToDelegateToAccount $SysUserPrinc

SPN registered to a machine account

Procedure-related prerequisites

The previously described configuration steps have been carried out.

You need to run the commands with administrative permissions. Open PowerShell via Run as administrator.

You need to be logged in as a domain administrator on a domain controller.

Run the commands in the Active Directory domain where the Server is a member of.

Example values

System user UPN: srv-airlock-kerberos@int.virtinc.com
Server (machine account): server1

Instruction

Run the following commands:

Terminal box

# Change these variables according to your environment
$SysUserUPN = "srv-airlock-kerberos@int.virtinc.com"
$Server     = "server1"

 
# Determine the system user's principle
$DomainName     = $SysUserUPN.Remove(0,($SysUserUPN.IndexOf("@")+1))
$DomainDNSRoot  = (Get-ADDomain $DomainName).DNSRoot
$SysUserPrinc   = Get-ADUser -Filter { UserPrincipalName -Like $SysUserUPN } `
                       -Server $DomainDNSRoot


# Allow KCD for the $resource (server)
$resource = Get-ADComputer -Filter { Name -Like $Server } `
              -Properties msDS-AllowedToActOnBehalfOfOtherIdentity
 $resource | Set-ADComputer -PrincipalsAllowedToDelegateToAccount  $SysUserPrinc