It is a complex setup, which I want to explain first (if you dont care, just scroll to 5) ) :
1) Company has multiple Active Directory Forests, which are:
user.local --> here are all user accounts stored server.local -> here are all servers are stored group.local -> new domain where all clients, servers and users should be transfered to. This domain has constrained delegation turned on
2) What is the issue:
We have multiple scripts where the Members of an AD-Group are read via PowerShell Cmdlet Get-ADGroupMember -server server.local -Group Testgroup. All groups are contain user-objects from user.local (current user domain) and group.local (new user-domain).
Because of the group.local Users the Cmdlet fails with "an unexpected error occured".
This error happens because the group.local Domain controller sends an KDC_ERR_BADOPTION (13)-error when user.local asks for information about the user-object.
3) The issue happens in this scenario:
- user@user.local requests information about Testgroup@server.local on dc.server.local (asking from member server)
4) The issue DOES NOT happen in this scenario:
- user@server.local requests information about Testgroup@server.local on dc.server.local (asking from member server)
- user@user.local requests information about Testgroup@server.local on dc.server.local (asking from domain controller)
5) How to allow using a delegated ticket
In my understanding the issue is related to constrained delegation because the issue does not happen if the commandlet is executed on a domain controller. So the group.local DC does not allow that server.local authorizes with the forwarded ticket.
But I found no option to allow that the member servers from a different forest can authenticate with forwardable tickets. I know that I can allow this to a computer object in the same forest via Delegation tab: see screenshot
But how can I allow delegation for a foreign computer object?
