Delegate Kerberos Constrained Delegation..

Say "delegate" three times fast...

Here is a short post on Kerberos constrained delegation. If you arent familiar with what it is, see here

Here is the scenario. You have delegated an OU to an "OU admin" given him full control over all objects in the OU.

The OU contains servers and accounts you wish to use in constrained delegation.Since you have full control over all objects you would think that this is not an issue, after all the UI is really just a wrapper around a modification to the attribute "msDS-AllowedToDelegateTo" or A2D2 for short.

 

Here is the UI

However, in our scenario when you delegate the full control of the OU to a user - lets call him Mike. And then Mike tries to set constrained delegation ( using the word "delegation" so much makes this whole sentence confusing perhaps ) - he will fail with the following error.

 

 

Whats going on here? The MMC goes through a buch of gyrations and eventually issues a ldap_modify_ext_s  to modify "msDS-AllowedToDelegateTo" with "cifs/SPAT2000"

Nothing odd here - but the ldap return is LDAP_INSUFFICIENT_RIGHTS which then is mapped to a win32 error - E_ACCESSDENIED

 

If you try the same operation ( modify the attribute as Mike) in ADSIedit - we get a better error:

A required privilege is not held by the client.

Much better than a generic "access is denied" - the actual error in code is ERROR_PRIVILEGE_NOT_HELD.

The solution is to grant the user the user right SeEnableDelegationPrivilege - kinda makes sense when you think about it.

spatdsg

 

keyword: delegation kerberos constrained