Automatically Update Kerberos Constained Delegation

Kerberos Constained Delegation can allow you to grant service accounts access to specific services on objects.

For example, this configuration is required when using smart card authentication with Amazon WorkSpaces in AWS, which requires an AD Connector, which requires the AD Connector service account to have Kerberos Constained Delegation permissions for the LDAP service on domain controllers to allow mutual TLS authentication to succeed.

Kerberos Constained Delegation in this scenario, is specific to computer objects. Meaning, if that computer object the service account is granted access to is deleted, the Kerberos Constained Delegation settings on the service account will be outdated. This is especially important when you are using an AD environment like AWS Managed AD, which can automatically replace domain controllers and hence making the Kerberos Constained Delegation settings out of date when a DC is replaced.

When an AD Connector completes authentication, it will choose a domain controller based on a variety of factors, so the service account must have permissions to use the LDAP service on any of the potential DCs that auth may be completed against.

For this solution, we’ll use PowerShell. The first step to enable Kerberos Constained Delegation is setting an SPN on the service account (only needs to be done once):

$ServiceAccount = "ADConnectorSvc"
$UniqueSPNName = "my/spn"
setspn -s $UniqueSPNName $ServiceAccount

We then enable the service account as trusted to auth for delegation:

Set-ADAccountControl -Identity $ServiceAccount -TrustedForDelegation $false -TrustedToAuthForDelegation $true

Now, to dynamically pull every domain controller in the domain and grant the service account access to the LDAP service on each DC:

Get-ADDomainController -Filter * -Server (Get-ADDomain).DNSRoot | Select-Object -ExpandProperty Name | Get-ADComputer -Properties * | Select-Object -ExpandProperty ServicePrincipalNames | Where-Object {$_ -match "ldap"} | ForEach-Object { Set-ADUser -Identity $ServiceAccount -Add @{'msDS-AllowedToDelegateTo'=@("$")} }

When running this, it will automatically update the Kerberos Constained Delegation settings on the service account to ensure they are always accurate.

You can add this to a script to update the settings on a relevant timeline based on your preferences and environment.