5

We've worked through configuring AD constrained delegation for a service account in our domain, and we've gotten everything to work in principle. However, to do so we had to set up LDAP delegation to specific domain controllers. The downside of that approach for us is that if we introduce a new DC, we could possibly have a service outage if we fail to update our delegation to include the new DC. Is there a way to delegate to any/all DC's in the domain, or is it only possible to do one at a time?

Abs
  • 320
  • 3
  • 8

1 Answers1

3

In all cases Kerberos delegation configuration is a sensitive operation and should be done with caution, manually and by a trusted administrator. Because the SPN contains the name of the computer that offers particular service, it's not possible to specify "all DCs" at once. That's because you cannot know in future what will be the name of your next DC.

So I would suggest to have SPN configuration steps added to your procedures for promoting DCs.

In fact Kerberos Constrained delegation UI fills in the "msDS-AllowedToDelegateTo" attribute. So it would be easy to automate delegation with PowerShell, for example:

$userWithConstrainedDelegation = "put_username_here" 
$domain = Get-ADDomain
$user = Get-ADUser $userWithConstrainedDelegation -Properties "msDS-AllowedToDelegateTo"

$spns = @()
$spnsToAdd = @()

#// Get all domain controllers in the current domain
Get-ADDomainController -Filter * | % {

    #// Construct SPNs (an example for ldap SPN)
    $spns += "ldap/{0}" -f $_.Name
    $spns += "ldap/{0}" -f $_.HostName
    $spns += "{0}/{1}" -f $s1,$domain.NetBIOSName

    #// Check if SPN should be added
    foreach($service in $spns){
        if ($user.'msDS-AllowedToDelegateTo' -inotcontains $service){
            "ADDING: {0}" -f $service
            $spnsToAdd += $service
        }
    }

    $spns = @()

}

#// Add missing SPNs
if ($spnsToAdd.Count -gt 0){
    Set-ADObject $user -Add @{ "msDS-AllowedToDelegateTo" = $spnsToAdd }
}

NOTE: This script is for demo only! It is untested and may contain bugs. Test it in LAB before using it!

Again, this is sensitive operation. If choose automation be sure to sign the PowerShell script to prevent tampering.

iPath
  • 622
  • 4
  • 11
  • Aw, you're just trying to sweet talk me with the PowerShell alternative. I appreciate that perspective, though. – Abs Aug 25 '15 at 18:28