Jorge's Quest For Knowledge!

All about Windows Server, ADDS, ADFS & FIM (It Is Just Like An Addiction, The More You Have, The More You Want To Have!)

(2013-10-21) Delegating The Configuration Of "Trusted For Delegation" In AD

Posted by Jorge on 2013-10-21


The constrained delegation extension allows a service to obtain service tickets (under the delegated user’s identity) to a restricted list of other services running on specific servers on the network after it has been presented with a service ticket, which may be a service ticket obtained through protocol transition. Constrained delegation provides a way for domain administrators to limit the network resources that a service trusted for delegation can access to a restricted list of network resources. This is accomplished by configuring the account under which the service is running to be trusted for delegation to a specific instance of a service running on a specific computer or to a set of specific instances of services running on specific computers.

-

When working with Kerberos Constrained Delegation (KCD), you need to configure service principal names, configure the "trusted for delegation" flag, choose authentication protocols used and configure the services on servers for which the account is allowed to perform delegation. If you as an engineer want to delegate this to an operational admin, you need to configure this accordingly in AD. This blog post will help you understand the delegations needed for specific tasks. Depending on the environment it may be possible you need to configure the delegated permissions to different (groups of) administrators that manage a different scope of objects in AD. In the latter case you need to duplicate the delegation configuration for every set of scoped objects. In this blog post the assumption is made that "Active Directory Users And Computers" MMC is used. Permissions are also configured at OU level for the accounts in that OU. Although this applies to both targeted computer or user accounts, in this blog post I’m focusing on user accounts.

-

To be able to configure Kerberos (Constrained) Delegation, you must first configure at least one Service Principal Name (SPN) on the account for which delegation is being configured. However, to be able to configure a Service Principal Name you need to have at least "Allow:Read" and "Allow:Write" permissions for the "servicePrincipalName" attribute on the account.

To configure those permissions you can use the following command:

DSACLS "<Distinguished Name of OU>" /G "<Group Or User Account>:RPWP;servicePrincipalName;user" /I:S

(e.g. DSACLS "OU=TEST,OU=Org-Users,DC=ADCORP,DC=LAB" /G "ADCORP\ADM_R1_00:RPWP;servicePrincipalName;user" /I:S)

After the permissions have been configured you can configure an SPN through the Attribute Editor in ADUC or through some other tool.

As soon as you have done that, the Delegation TAB will appear as shown below.

image

Figure 1: The Delegation TAB After Configuring A Service Principal Name

-

As you can see in figure 1, you have 4 options you can configure, being:

  1. Trust This User For Delegation To Any Service (Kerberos Only)
  2. Trust This User For Delegation To Specified Services Only – Use Kerberos Only
  3. Trust This User For Delegation To Specified Services Only – Use Any Authenticaton Protocol
  4. Do Not Trusted This User For Delegation

-

[1]

To configure the option "Trust This User For Delegation To Any Service (Kerberos Only)", you must enable the bit called "TRUSTED_FOR_DELEGATION" on the "userAccountControl" attribute. That bit is enabled by setting the decimal value "524288" or hexadecimal value "0×80000" in addition to whatever value is already configured for the "userAccountControl" attribute.

So, you need to have at least "Allow:Read" and "Allow:Write" permissions for the "userAccountControl" attribute on the account.

To configure those permissions you can use the following command:

DSACLS "<Distinguished Name of OU>" /G "<Group Or User Account>:RPWP;userAccountControl;user" /I:S

(e.g. DSACLS "OU=TEST,OU=Org-Users,DC=ADCORP,DC=LAB" /G "ADCORP\ADM_R1_00:RPWP;userAccountControl;user" /I:S)

Be aware though, that after the permissions have been configured you can configure (enable/disable) ANY of the bits available on the "userAccountControl" attribute. To be as accurate as possible, there are a few exceptions to this statement. One of those exceptions can be read through the following blog post (2008-05-20) Denying The Change Of Password Related Bits On User Objects. The list of userAccountControl bits can be found in the KB article How to use the UserAccountControl flags to manipulate user account properties.

There is yet another exception to that previous statement. If you just configure the permissions for the "userAccountControl" attribute as mentioned above AND you try to configure the option "Trust This User For Delegation To Any Service (Kerberos Only)", you will see the following error. In other operating systems, you may see a slightly different error message.

image

Figure 2: Access Denied When Configuring The Option "Trust This User For Delegation To Any Service (Kerberos Only)"

-

The reason for this access denied is that the admin account is lacking an important User Right on DCs to be able to configure this option. The User Right that must be granted to the group of admins of admin account on all writable DCs is called "Enable computer and user accounts to be trusted for delegation".

The explanation of that User Right reads:

This security setting determines which users can set the Trusted for Delegation setting on a user or computer object.

The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using delegated credentials of a client, as long as the client account does not have the Account cannot be delegated account control flag set.

So as soon as you in addition grant that user right, you will be able to configure the option "Trust This User For Delegation To Any Service (Kerberos Only)".

-

[2] and [3]

To configure the option "Trust This User For Delegation To Specified Services Only – Use Kerberos Only" OR the option "Trust This User For Delegation To Specified Services Only – Use Any Authenticaton Protocol", you must also list the specific services on specific servers for which the account can perform delegation for. That list of services is stored in the "msDS-AllowedToDelegateTo" attribute.

So, you need to have "Allow:Read" and "Allow:Write" permissions for the "msDS-AllowedToDelegateTo" attribute on the account.

To configure those permissions you can use the following command:

DSACLS "<Distinguished Name of OU>" /G "<Group Or User Account>:RPWP;msDS-AllowedToDelegateTo;user" /I:S

(e.g. DSACLS "OU=TEST,OU=Org-Users,DC=ADCORP,DC=LAB" /G "ADCORP\ADM_R1_00:RPWP;msDS-AllowedToDelegateTo;user" /I:S)

To configure the option "Trust This User For Delegation To Specified Services Only – Use Any Authenticaton Protocol", you must enable the bit called "TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION" on the "userAccountControl" attribute. That bit is enabled by setting the decimal value "16777216" or hexadecimal value "0×1000000" in addition to whatever value is already configured for the "userAccountControl" attribute.

So, you need to have "Allow:Read" and "Allow:Write" permissions for the "userAccountControl" attribute on the account.

To configure those permissions you can use the following command:

DSACLS "<Distinguished Name of OU>" /G "<Group Or User Account>:RPWP;userAccountControl;user" /I:S

(e.g. DSACLS "OU=TEST,OU=Org-Users,DC=ADCORP,DC=LAB" /G "ADCORP\ADM_R1_00:RPWP;userAccountControl;user" /I:S)

To configure the option "Trust This User For Delegation To Specified Services Only – Use Kerberos Only", you do not need to enable any bit on the "userAccountControl" attribute. However, you still require the "Allow:Read" and "Allow:Write" permissions for the "userAccountControl" attribute on the account.

As mentioned earlier, be aware though, that after the permissions have been configured you can configure (enable/disable) ANY of the bits available on the "userAccountControl" attribute. To be as accurate as possible, there are a few exceptions to this statement. One of those exceptions can be read through the following blog post (2008-05-20) Denying The Change Of Password Related Bits On User Objects. The list of userAccountControl bits can be found in the KB article How to use the UserAccountControl flags to manipulate user account properties.

There is yet another exception to that previous statement. If you just configure the permissions for the "userAccountControl" attribute as mentioned above AND you try to configure the option "Trust This User For Delegation To Specified Services Only – Use Kerberos Only" OR the option "Trust This User For Delegation To Specified Services Only – Use Any Authenticaton Protocol", you will see the following error. In other operating systems, you may see a slightly different error message.

image

Figure 3: Access Denied When Configuring The Option "Trust This User For Delegation To Specified Services Only – Use Kerberos Only" OR the option "Trust This User For Delegation To Specified Services Only – Use Any Authenticaton Protocol"

-

The reason for this access denied is that the admin account is lacking an important User Right on DCs to be able to configure this option. The User Right that must be granted to the group of admins of admin account on all writable DCs is called "Enable computer and user accounts to be trusted for delegation".

The explanation of that User Right reads:

This security setting determines which users can set the Trusted for Delegation setting on a user or computer object.

The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using delegated credentials of a client, as long as the client account does not have the Account cannot be delegated account control flag set.

So as soon as you in addition grant that user right, you will be able to configure the option "Trust This User For Delegation To Specified Services Only – Use Kerberos Only" OR the option "Trust This User For Delegation To Specified Services Only – Use Any Authenticaton Protocol".

-

[4]

To configure the option "Do Not Trusted This User For Delegation", you need to be able to write to the same attributes as you for option [2] and [3] as you need to remove the configured information

-

In summary, to be able to delegate the configuration of "Trusted For Delegation" you need at least the following permissions and user rights:

  • "Allow:Read" and "Allow:Write" permissions for the "servicePrincipalName" attribute on the account
  • "Allow:Read" and "Allow:Write" permissions for the "userAccountControl" attribute on the account
  • "Allow:Read" and "Allow:Write" permissions for the "msDS-AllowedToDelegateTo" attribute on the account
  • User Right "Enable computer and user accounts to be trusted for delegation" on writable DCs

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

About these ads

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: