Bagikan melalui

Delegation tab in ADUC not available until a SPN is set

  • Artikel

Today when we were configuring Kerberos we become a bit confused when we were going to enable the service accounts for delegation. In our experience there is a Delegation tab in the Properties dialog for the User object in Active Directory Users and Computers (ADCU). But this time when we looked at the Properties dialog it was missing! We looked at the computer account and there we had the Delagation tab. We were a bit a confused and became unsure if Delegation were supposed to be configured on the service accounts.

Some research revealed that when Active Directory is running in Windows 2000 functional level there is no Delegation tab, it only appears when running AD in Windows 2003 (or higher) functional level. We were using Windows 2008 functional level so that was not the problem.

However, further research also revealed that the Delegation tab is only displayed when there is at least one value set in the servicePrincipalName attribute. At that was the solution to our problem!

Side note 1: Setting a ServicePrincipalName (SPN) can be performed in a number of ways; ADSIEdit, Attribute Editor in ADCU and SETSPN.EXE. I like creating things that can be easily repeated in other environments (dev, verification, production, …) so I prefer creating BAT-files using SETSPN.EXE, but YMMV.

Side note 2: Now I also realize why the guides around Kerberos configuration tell you to first set the SPNs and then enable Delegation on the service accounts…

Below are some screenshots from my virtual development enviornment to illustrate the topic below. The first screenshot show my service account with no SPN set.

image

The next screenshot show that if you turn on Advanced Features in ADCU you can edit object attributes directly in the Properties dialog, using the Attribute Editor tab. You can either enter this value directly in this dialog or you can run SETSPN.EXE http/lom KRYSS\sqlservice.

image

So when you set at least one SPN for the object you get the Delegation tab. Nice and easy!

image

Comments

  • Anonymous
    May 10, 2013
    Thanks Mattias Lindberg.

  • Anonymous
    August 29, 2013
    This was exactly what I was looking for, thanks!

  • Anonymous
    June 07, 2014
    Thanks Matthias that's exactly what my problem was :)

  • Anonymous
    November 25, 2014
    tres looooooooooooooooooooooooooooooool

  • Anonymous
    October 12, 2015
    Thanks a lot. resolved my issue too. :)

  • Anonymous
    December 16, 2015
    Thank you! Solved my issue too for normal service account. For Managed Service or groupManagedService accounts this does not add the delegation tab although. But you can ofcourse type it through the attribute editor.