Category: Kerberos

Windows 2008R2 features part VI: Managed Service Accounts – delegation

In a previous entry I’ve explained how you can run services under the new Managed  Service Account. Say now that we want to use this service account in combination with Kerberos and the account needs to be trusted for delegation. We set an SPN to it, but in the Active Directory Users and Computers, we seem to be unable to find the trusted for delegation option.. Let’s take a closer look at these accounts once they have been created, to do this we’ll be using ldp.exe

Read more

Kerberos multiple hops

You all remember the maximum 2 hops for Kerberos right.. well in Microsoft land it works a little different and it is possible to create a multiple tier Kerberos delegation structure.

 

Basically we want the following to happen:

 

Client->IIS1->IIS2->IIS3->IIS4 where all hops require Kerberos authentication

 

In this case, IIS1, IIS2 and IIS3 need to be trusted for delegation. In my test lab I’ve used (http://support.microsoft.com/kb/314404) for the setup..

  Read more

Kerberos PAC validation

 
basically, all Kerberos tickets in windows have a PAC (that holds all the groups of the identity). If the resource that is accessed is NOT running under system account (but user/service), the resource will issue a verification of the PAC at the nearest domain controller. That DC will verify the PAC load and will give the green light.