cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

Resource-based Kerberos constrained delegation is not working

kevinpekwk
Copper Contributor

‎Feb 04 2021 12:58 AM

‎Feb 04 2021 12:58 AM

Resource-based Kerberos constrained delegation is not working

Hi all,

 

I have attempted for a week to implement a second hop in powershell remoting by following this article.

Making the second hop in PowerShell Remoting - PowerShell | Microsoft Docs

 

I appears that this is a very easy configuration, however, i was unable to get it working. 

 

The second hop to the last server always fallbacks to NTLM, anonymous user instead of the computer object kerberos ticket.

 

What is going on?

 

Kevin

2,290 Views
0 Likes
1 Reply
Reply
1 Reply
best response confirmed by kevinpekwk (Copper Contributor)
kevinpekwk

‎Feb 08 2021 05:50 PM

‎Feb 08 2021 05:50 PM

Solution

Re: Resource-based Kerberos constrained delegation is not working

I was dumb. Wasted an entire week.

I was trying for Windows admin center SSO.

For any of you out there, Resource-based Kerberos constrained delegation is indeed as straight forward as it gets.

The KDC automatically enables it and it is intrinsic.

To troubleshoot, I have turned on everything in auditpol. Though apparently, you only need to monitor the logons and logoffs.

The NT Authority\Anonymous User using NTLM was logged in the security events which means that the delegation had failed.

I dug through with wireshark, Kerberos logging, all to no avail.

As a last resort, i created a brand new domain user account. Added it into the administrators group on both the frontend and the backend machine and voila.

A little probing identifies the root cause. I had checked this account is sensitive and cannot be delegated.

Thus, the hair-pulling mystery is solved.

0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by kevinpekwk (Copper Contributor)
kevinpekwk

‎Feb 08 2021 05:50 PM

‎Feb 08 2021 05:50 PM

Solution

Re: Resource-based Kerberos constrained delegation is not working

I was dumb. Wasted an entire week.

I was trying for Windows admin center SSO.

For any of you out there, Resource-based Kerberos constrained delegation is indeed as straight forward as it gets.

The KDC automatically enables it and it is intrinsic.

To troubleshoot, I have turned on everything in auditpol. Though apparently, you only need to monitor the logons and logoffs.

The NT Authority\Anonymous User using NTLM was logged in the security events which means that the delegation had failed.

I dug through with wireshark, Kerberos logging, all to no avail.

As a last resort, i created a brand new domain user account. Added it into the administrators group on both the frontend and the backend machine and voila.

A little probing identifies the root cause. I had checked this account is sensitive and cannot be delegated.

Thus, the hair-pulling mystery is solved.

View solution in original post

0 Likes
Reply