How to Delegate the Right to Delegate Kerberos Constrained Delegation

Wow, that is a lot of delegating…seriously how many times can you say it in one sentence.  Today’s post is one that threw me for a loop.  As a domain admin I have the right to configure constrained Kerberos delegation.  There may come a time when you want to delegate that out to a user or group. 

My first thought was to assign the user/group Full Control on the OU that included the accounts.  At this point I would run the following command

setspn -a http/workstation01 adminprepbrian

Surely Full Control would grant me the permission to do this…Failed!!!  Insufficient access rights.  It is not a “permission” that is needed, it is a “User Right”.  So where do you go to assign rights to work with constrained delegation and what User Right is it?  Well, you won’t find it in the Local Security Policy.

The User Right that you need to grant is SeEnableDelegationPrivilege. Now where and how do I grant this User Right.  Well it turns out you still should delegate Full Control to the user/group that you want to grant this User Right too.  Then on a DC you must run the following command:

ntrights -u adminprepbrian +r SeEnableDelegationPrivilege

Just make sure to modify that domain/user to match your environment.  Now when I run the Setspn command it works because that account has the correct User Right.  You may have to wait for replication to occur if you are in a distributed environment.

2 Responses to “How to Delegate the Right to Delegate Kerberos Constrained Delegation”

  1.   BrianM Says:

    Oddly enough that didn”t work for me. That is the 1st thing I tried as I didn”t want to grant FC either.


  2.   Thomas Vuylsteke Says:

    I think you can achieve the same by just setting this in the default domain controller policy (or preferable in your custom default dc policy).

    The setting: Enable computer and user accounts to be trusted for delegation (by default BUILTINadministrators have this right), you could add your group/user

    Besides this right, all you need is “WP on the computer/user object to modify msDS-AllowedToDelegateTo attribute”. The whitepapers don”t discuss it,but besides the msDS-AllowedToDelegateTo, you might also require permissions to alter the “userAccountControl” attribute. Depending on the type of delegation (Kerberos Only/any authN protocol)

    The permissions and required rights are explained in detail in the delegation whitepapers: http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3&DisplayLang=en and http://www.microsoft.com/downloads/details.aspx?FamilyID=29dbae88-a216-45f9-9739-cb1fb22a0642&DisplayLang=en


Leave a Reply