Is There a Limit to msDS-AllowedToDelegateTo

For those of you that need to setup Kerberos constrained delegation for Group Managed Service Accounts, you will likely get more familiar with msDS-AllowedToDelegateTo. This attribute stores a list of SPNs that are used to configure a service so that it can obtain tickets used for constrained delegation.

In my previous post on setting up Kerberos constrained delegation, I walked you through how we used it to overcome the authenticaiton double hop issue. In that example, we needed to define which SQL Servers the PowerBI Report Server was able to delegate permisisons to. The command below demonstrates how we did that.

Set-ADServiceAccount -Identity CORELLIABI1$ -Add @{'msDS-AllowedToDelegateTo'='MSSQLSvc/deathstar.govlab.corp:SQL2019','MSSQLSvc/deathstar.govlab.corp:11004'}

Since this is a PowerBI Report Server, we may have hundreds of reports deployed, and each of those reports may have multiple data sources each pointing to different data source. So there may be a need to add hundreds of SPNs to that msDS-AllowedToDelegateTo attribute.

This got me wondering. Is there a limit to the number of values we can store in msDS-AllowedToDelegateTo??? The answer is yes, there is a limit.

The Active Directory stores the values for msDS-AllowedToDelegateTo as non-linked attribute values. According to the documenation…

The Active Directory database stores non-linked attribute values in a linked directory that has to fit on a database page. This results in a maximum limit of non-linked attribute values of approximately 1300 entries for an object that carries only this attribute. In real-world deployments, errors begin to occur when reaching approximately 1200 attribute values.

Active Directory Maximum Limits Scalability Capacity | Microsoft Docs

A limit of 1200 in “real-world” deployments still sounds like a lot. In my own lab, I was able to get about 1000 entries before running into errors. Even if you put two SPNs entries for each SQL Server (one with the instance name and one with the port number), that’s still 500 unique instances.

I have yet to work with a customer who hit this limit, but it is still possible. If you think you may run into this limit, then you should consider “Resource-based Kerberos constrained delegation”, but I will cover that option in a future post.

Additional reference:

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc772829(v=ws.10)#maximum-database-record-size

https://docs.microsoft.com/en-us/windows/win32/adschema/a-msds-allowedtodelegateto

Share