Blog Post

Windows Admin Center Blog
4 MIN READ

Windows Admin Center update 1910.2 is now generally available!

Prasidh_Arora's avatar
Prasidh_Arora
Icon for Microsoft rankMicrosoft
Apr 14, 2020
Windows Admin Center version 1910.2, which was released to Windows Insiders last month, is now generally available. Version 1910.2 is a cumulative update to our 1910 GA release from last November tha...
Published Apr 14, 2020
Version 1.0
Marc_Laf's avatar
Marc_Laf
Iron Contributor
Apr 16, 2020

Damon Villar 

The super nitty gritty double-hop article is here:

https://docs.microsoft.com/en-us/archive/blogs/askds/understanding-kerberos-double-hop

The general MS doc that talks about using it in WAC is here:

https://docs.microsoft.com/en-us/windows-server/manage/windows-admin-center/configure/user-access-control#configure-single-sign-on

The scrip they have listed there works perfect for a single server. To apply this to all servers I use this one. If you want to only specify a few servers to apply this to you can specify them by uncommenting out the second $servers line and commenting out the one that gets all windows servers

Since we have some DC's that aren't 2012, I've added a variable to specify a 2012DC. If you don't need that you can eliminate $domainController line as well as the switch -server $domainController in the Set-ADComputer line.

 

$wac = "wacservername" # Server that's running WAC
$servers = Get-ADComputer -Filter {OperatingSystem -Like "Windows Server*"}
# $servers = "server1", "server2", "server3"
$domainController = "2012dcname" # force using 2012 DC.
$wacObject = Get-ADComputer -Identity $wac

foreach ($server in $servers)
{
$serverObject = Get-ADComputer -Identity $server
Set-ADComputer -Identity $serverObject -PrincipalsAllowedToDelegateToAccount $wacObject -Server $domainController
}

One thing to note, you need to do this BEFORE attempting to connect to the server using SSO or else you'll run into a KDC Cache issue. When the attempt to use SSO is made, a kerberos ticket is granted. This ticket will not have the allow to delegate permission and be invalid. The only options here are to either wait 15 minutes so it times out and another one is granted or else you need to manually purge the KDC Cache with this command.

DISCLAIMER: I've never had to use this command before because I usually add delegation before attempting to connect so I'm not sure if it works or not. You may need to tweak it.

Invoke-Command -ComputerName servername -ScriptBlock {
    klist purge -li 0x3e7
}

Finally, this delegation step needs to be performed for every new server added to WAC/domain. There may be some automation that can be performed somehow or hopefully this gets added into WAC in the future.