Remote Administration Without Constrained Delegation Using PrincipalsAllowedToDelegateToAccount

You may have read my previous posts on remote administration and constrained delegation (Enabling Hyper-V Remote Management - Configuring Constrained Delegation For SMB and Highly Available SMB or Enabling Hyper-V Remote Management - Configuring Constrained Delegation For Non-Clustered Live Migration or Scripting Constrained Delegation Settings) one of biggest challenges people voice over constrained delegation is that it requires active directory administrator permissions.  In Windows Server 2012 the Active Directory team introduced resource-based Kerberos constrained delegation this feature provides several significant advantages over traditional constrained delegation.  Specifically it no longer requires a domain administrator to configure it and it works across domain/forest trusts removing the requirement that both servers reside in the same domain and it’s really easy to configure!

One thing to keep in mind you still have to configure the share permissions and file/folder permissions properly (see the Create SMB Share For Virtual Machines section of Enabling Hyper-V Remote Management - Configuring Constrained Delegation For SMB and Highly Available SMB).

Basic Configuration

In this example below we are just getting the active directory computer object for the fileserver and then setting the PrincipalsAllowedToDelegateToAccount with the active directory computer object of the Hyper-V server.  In the background this sets msDS-AllowedToActOnBehalfOfOtherIdentity property to an NT Security Descriptor for the Hyper-V server’s computer account.

Get-ADComputer -Filter {Name -Like "FileServer"} | Set-ADComputer -PrincipalsAllowedToDelegateToAccount (Get-ADComputer -Filter {Name -Like "HyperVServer"})

Advanced Configuration

The function below does a much more complete job of adding the Hyper-V server to the File Server’s PrincipalsAllowedToDelegateToAccount, specifically it read’s in existing entries building an array of allowed servers.

function Add-PrincipalsAllowedToDelegateToAccount
{
Param
(
[String]
$FileServer,
[String]
$HyperVServer
)

    $deligationPrinciples = @()
$fsAD = Get-ADComputer -Filter {Name -Like $FileServer} `
-Properties msDS-AllowedToActOnBehalfOfOtherIdentity

    foreach ($AllowedAccount in $fsAD."msDS-AllowedToActOnBehalfOfOtherIdentity".Access)
{
$samAccountName = $AllowedAccount.IdentityReference.Value
$samAccountName = $samAccountName.Remove(0, ($samAccountName.IndexOf("\")+1))

        $deligationPrinciples+=Get-ADComputer -Filter {SamAccountName -Like $samAccountName}
}

    $deligationPrinciples += Get-ADComputer -Identity $HyperVServer
$fsAD | Set-ADComputer -PrincipalsAllowedToDelegateToAccount $deligationPrinciples
}

 

I hope this helps everyone, it sure has helped my team!

-taylorb