For those of you that need to setup Kerberos constrained delegation for Group Managed Service Accounts, you will likely get more familiar with msDS-AllowedToDelegateTo. This attribute stores a list of SPNs that are used to configure a service so that it can obtain tickets used for constrained delegation. In my previous post on setting up Kerberos constrained delegation, I walked you through how we used it to overcome the authenticaiton double hop issue. In that example, we needed to define which SQL Servers the PowerBI Report Server was able to delegate permisisons to. The command below demonstrates how we did...
Continue reading...February 2022
Setup Kerberos Constrained Delegation for Group Managed Service Accounts
Kerberos delegation is not a new concept in Active Directory; however, setting it up for Group Managed Service Accounts (gMSA) can be a bit confusing. Unlike normal domain accounts, gMSAs do not have a GUI for configuring delegation. Those configuraitons will need to be handled through PowerShell. A common use for Kerberos delegation is to solve the authentication double hop. For example, a user accesses a report which is configured to use a remote data source. That’s one hop from the user’s workstation to the webserver and then a second hop from the webserver to the data source. Our environment...
Continue reading...