Kerberos Constrained Delegation – Active Directory (Part 2 of 6)

Part of the fun for setting up Kerberos is getting all of the user accounts set up correctly.  In part one of the series, I described an example scenario.  Now we can look at the work needed to be done in Active Directory for this scenario.


After a user is created (I used domain user accounts in my example), we need to add the SPNs to the user accounts and delegate properly.  There are several tools to help us do this.

1.  SPN Commands

If you are comfortable setting up this type of security, just type in the SPNs yourself.  The definitive guide for this can be found at Microsoft SetSPN.  This is the recommended way to set up SPNs.

An example syntax of how to set a SPN:

  • setspn -a service/<computername>.<domainname>:<port> <domain-user-account>

Setting a SPN for one of our examples from Part 1:

  • setspn -a http/ domain\SSRSwebapp

SharePoint can have a complicated set of SPNs depending upon your particular setup.  To keep track of all of your SPNs, you can create a spreadsheet with all of the required data.  An example of a SharePoint setup (along with the SPNs needed) can be found at SPN Command Calculator for SetSPN.  I would encourage everyone to have documentation prior to attempting SPN setup.  Unfortunately, you have to track down various Microsoft web pages for the SPNs needed for your particular product.

For those of us that don’t feel comfortable typing in the SPN commands, there is another option.

2.  ADSI Edit

ADSI Edit can manage objects in Active Directory and is a snap-in.  After ADSI Edit is installed and started, go to one of the domain user accounts that you need to set up a SPN for.  In our example, you could go to (domainSSRSwebapp).  Go to the user account properties –> Attribute Editor tab –> and scroll down to the “servicePrincipalName” or SPN.  Then add the SPN values.  In my example it would be:

  • http/ServerSSRS
  • http/

Repeat this for all of the accounts necessary until all of the SPNs are entered (some SPNs require the port number as well).


Now go to Active Directory to Delegate and find one of the users.  Find the user (SSRSwebapp) from our example (SSRSwebapp delegates to SQLService).

Go to Properties –> Delegation Tab.  Select “Trust this user for delegation to specified services only” and then select “Use Kerberos only”.

Select Add, Users & Computers, and then add the user SQLService, Select All.  Then select OK, OK, … until you get back to the SSRSwebapp Properties window.

Select the Expanded checkbox and then OK.  Notice that the SPNs that you added for the SQLService should now show up in the SSRSwebapp properties box.


Repeat this for all of the necessary delegations and your done with the Active Directory setup.

Care must be taken so as not to assign a “Duplicate SPN”.  I will look at this more in a later part of the series.

This section of the series describes several options of how to set SPNs and how to Delegate (the basic Active Directory work).  In Part 1 of this series (Kerberos Constrained Delegation – Setup Tools are Needed), I described an example scenario and a tool requirements list that would be fantastic if it could be integrated into a single setup tool.  Next, I will describe IIS Setup.

FUTURESULTS, LLC Blog and FUTURESULTS, LLC Web Site are both created by Robert Lambrecht. Tags: , , , , , , , , , , , , , , , , , , , , ,
This entry was posted in Security and tagged , , , , , , , , , , , , , , , , , , , , , . Bookmark the permalink.

4 Responses to Kerberos Constrained Delegation – Active Directory (Part 2 of 6)

  1. Pingback: Kerberos Constrained Delegation – IIS Setup (Part 3 of 6) | FUTURESULTS, LLC Blog

  2. Pingback: Kerberos Constrained Delegation – Troubleshooting Tools (Part 5 of 6) | FUTURESULTS, LLC Blog

  3. Pingback: Kerberos Constrained Delegation – Wrap-up (Part 6 of 6) | FUTURESULTS, LLC Blog

  4. Pingback: 2010 in review | FUTURESULTS, LLC Blog

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s