Blog Post

Microsoft Entra Blog
2 MIN READ

Kerberos Constrained Delegation, FE and BE Servers Must Be In Same Domain

Alex Simons (AZURE)'s avatar
Sep 07, 2018
First published on CloudBlogs on Oct, 24 2007

This has come up several times, and I suspect will continue to do so occasionally.   So I thought I’d post about this real quick in order to get the word out and also make sure that I don’t give the wrong answer on this to someone again (I forgot, gave the wrong answer to someone and feel a little guilty).

More and more of our customers are using Kerberos constrained delegation.   Constrained delegation is where you limit the server and/or services that a middle tier server can delegate to.    The goal being a limitation of the possible usage of credentials in the event of the middle tier is compromised somehow.  This all fits in with the principle of least privilege, a security mainstay that essentially states that you are most secure when you routinely provide only the minimum rights or permissions needed to get a task done.

The part in particular which I am posting about it where your middle tier and back end accounts may be, domain wise.  What happens if they are not?  Well, the delegation will fail.  Here’s an lsass.log entry (go to this post to find out how to enable that) from the middle tier (also known as front end, last server is also known as back end) server of the failure:

408.2656> Kerb-Warn: SpInitLsaModeContext failed to get outbound ticket, KerbGetServiceTicketByS4UProxy failed 0xc000040b

…and when we use ERR.EXE to parse it out:

C:Usersyeahright>err 0xc000040b

# for hex 0xc000040b / decimal -1073740789 :

STATUS_CROSSREALM_DELEGATION_FAILURE                          ntstatus.h

# An attempt was made by this server to make a Kerberos

# constrained delegation request for a target

# outside of the server's realm.  This is not supported, and

# indicates a misconfiguration on this

# server's allowed to delegate to list.  Please contact your

# administrator.

# 1 matches found for "0xc000040b"

So, to recap, in a  delegation scenario where the computers/identities below are involved :

1- IE client

2- IIS server (front end)

3- SQL server (back end)

The identity of the IIS server (both the computer account as well as the account the service in the app pool is running under) and the identity of the SQL server (and its service account) must be in accounts in the same domain.

*Note: The servers may be different services on front and back end, IIS and SQL were simply used as an example.

**Note: Domain=realm.

***Note: Identity=account

I feel so much better now that I've posted this.  I have a feeling it will be as good as aspirin in alleviating some headaches out there.

Published Sep 07, 2018
Version 1.0
  • RossUA's avatar
    RossUA
    Brass Contributor

    Got the message on screenshot below in Wireshark, leading to the same error code when troubleshooting Kerberos Constraint Delegation. This post is the only good article that answers why this is not working. A bit sad, as several people here spent quite a few hours on this issue. But now we know. Thanks a lot for a simple explanation!

    KRB5 220 KRB Error: KRB5KDC_ERR_POLICY NT Status: Unknown error code 0xc000040b

  • RossUA's avatar
    RossUA
    Brass Contributor

    And of course it would be useful to mention that in order to make it working, since Server 2012 there is a feature available, which I discovered today, to my greatest shame: "Resource-based Constrained Delegation".

    Instead of configuring constrained delegation to the resource, you need to configure it on the target system by utilizing Powershell command:

    Set-AdUser <targetServer> –PrincipalsAllowedToDelegateToAccount $(server in the middle)

     

    And if still doesn't work - make sure you remove resources from a list of "classic" Constraint Delegation list in AD.

     

    Useful articles:

    https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/ps-remoting-second-hop?view=powershell-7.1

    https://www.mssqltips.com/sqlservertip/6485/resource-based-kerberos-constrained-delegation/