Delegate Kerberos Constrained Delegation..

Say "delegate" three times fast...

Here is a short post on Kerberos constrained delegation. If you arent familiar with what it is, see here

Here is the scenario. You have delegated an OU to an "OU admin" given him full control over all objects in the OU.

The OU contains servers and accounts you wish to use in constrained delegation.Since you have full control over all objects you would think that this is not an issue, after all the UI is really just a wrapper around a modification to the attribute "msDS-AllowedToDelegateTo" or A2D2 for short.


Here is the UI

However, in our scenario when you delegate the full control of the OU to a user - lets call him Mike. And then Mike tries to set constrained delegation  ( using the word "delegation" so much makes this whole sentence confusing perhaps )  - he will fail with the following error.



Whats going on here? The MMC  goes through  a buch of gyrations and eventually issues a ldap_modify_ext_s  to modify "msDS-AllowedToDelegateTo" with "cifs/SPAT2000"

Nothing odd here - but the ldap return is LDAP_INSUFFICIENT_RIGHTS which then is mapped to a win32 error - E_ACCESSDENIED


If you try the same operation ( modify the attribute as Mike) in ADSIedit  - we get a  better error:

A required privilege is not held by the client.

Much better than a generic "access is denied" - the actual error in code is ERROR_PRIVILEGE_NOT_HELD.

The solution is to grant the user the user right SeEnableDelegationPrivilege  - kinda makes sense when you think about it.



keyword: delegation kerberos constrained


Comments (3)

  1. BrianYx2 says:

    Where did you set "grant the user the user right SeEnableDelegationPrivilege?"

  2. SpatDSG says:

    I set the user right on the DC – for the user I delegated to.

    Member Server —> DC

    On the DC – delegate the OU  ( full control ) to an OU, for the user joe

    On the DC open cmd prompt and do:
    ntrights -u domainjoe +r SeEnableDelegationPrivilege

    Logon to the member server, with adminpak installed, open dsa.msc on the member server and perform the delegation.

  3. Last week, I spent an all-nighter troubleshooting a Kerberos issue for a MOSS installation. Although

Skip to main content