0

I'm looking to implement Resource Based Constrained Delegation in C++, which is new to Windows Server 2012.

Edit: Code for an IIS module that does this would also be great.

Rather than being the classic KCD where an account is allowed to delegate to a specific SPN, here accounts can be permitted to delegate to any programs being run by a specific user account. Permission is granted by modifying the "-PrincipalsAllowedToDelegateToAccount" property of the user running the service being delegated to.

See this for more info: Resource Based Constrained Delegation

Can anyone provide me with code samples that implement this or useful resources?

Even references to commercial products that use this new feature could be useful.

Thanks,

Dave

Meir
  • 12,285
  • 19
  • 58
  • 70
  • @BЈовић, about highly sophisticated network stuff. – Michael-O Oct 20 '14 at 11:35
  • @Dave, have you already read: http://msdn.microsoft.com/en-us/magazine/cc188757.aspx – Michael-O Oct 20 '14 at 11:36
  • @Michael-O I have, but it's really old and doesn't refer to the new features in Win 2012. I have code that does what is described more or less in the article you mentioned. What I'm trying to do now is create similar code that will allow me to use KCD across domains with a one way trust. – Meir Oct 20 '14 at 11:41
  • @Dave, I was always having trouble viable documentation/examples from Microsoft. I have given up. Too badly documented. – Michael-O Oct 20 '14 at 11:42

1 Answers1

0

To configure a resource service to allow a front-end service access on the behalf of users, use Windows PowerShell cmdlets.

  • To retrieve a list of principals, use the Get-ADComputer, Get-ADServiceAccount, and Get-ADUser cmdlets with the –Properties PrincipalsAllowedToDelegateToAccount parameter.

  • To configure the resource service, use the New-ADComputer, New-ADServiceAccount, New-ADUser, Set-ADComputer,
    Set-ADServiceAccount, and Set-ADUser cmdlets with the
    –PrincipalsAllowedToDelegateToAccount parameter.

Navnish Bhardwaj
  • 1,687
  • 25
  • 39
  • For implementation information about these extensions, see [MS-SFU]: Kerberos Protocol Extensions: Service for User and Constrained Delegation Protocol Specification in MSDN. For more information about the basic message sequence for Kerberos delegation with a forwarded ticket-granting ticket (TGT) as compared to Service for User (S4U) extensions, see section 1.3.3 Protocol Overview in the [MS-SFU]: Kerberos Protocol Extensions: Service for User and Constrained Delegation Protocol Specification. – Navnish Bhardwaj Nov 03 '14 at 06:25