Kerberos Constrained Delegation, FE and BE Servers Must Be In Same Domain

Kerberos Constrained Delegation, FE and BE Servers Must Be In Same Domain

  • Comments 1
  • Likes

This has come up several times, and I suspect will continue to do so occasionally.   So I thought I’d post about this real quick in order to get the word out and also make sure that I don’t give the wrong answer on this to someone again (I forgot, gave the wrong answer to someone and feel a little guilty).

 

More and more of our customers are using Kerberos constrained delegation.   Constrained delegation is where you limit the server and/or services that a middle tier server can delegate to.    The goal being a limitation of the possible usage of credentials in the event of the middle tier is compromised somehow.  This all fits in with the principle of least privilege, a security mainstay that essentially states that you are most secure when you routinely provide only the minimum rights or permissions needed to get a task done.

 

The part in particular which I am posting about it where your middle tier and back end accounts may be, domain wise.  What happens if they are not?  Well, the delegation will fail.  Here’s an lsass.log entry (go to this post to find out how to enable that) from the middle tier (also known as front end, last server is also known as back end) server of the failure:

 

408.2656> Kerb-Warn: SpInitLsaModeContext failed to get outbound ticket, KerbGetServiceTicketByS4UProxy failed 0xc000040b

 

…and when we use ERR.EXE to parse it out:

C:\Users\yeahright>err 0xc000040b

# for hex 0xc000040b / decimal -1073740789 :

  STATUS_CROSSREALM_DELEGATION_FAILURE                          ntstatus.h

# An attempt was made by this server to make a Kerberos

# constrained delegation request for a target

# outside of the server's realm.  This is not supported, and

# indicates a misconfiguration on this

# server's allowed to delegate to list.  Please contact your

# administrator.

# 1 matches found for "0xc000040b" 

 

So, to recap, in a  delegation scenario where the computers/identities below are involved :

 

1- IE client

2- IIS server (front end) 

3- SQL server (back end)

 

The identity of the IIS server (both the computer account as well as the account the service in the app pool is running under) and the identity of the SQL server (and its service account) must be in accounts in the same domain.

 

*Note: The servers may be different services on front and back end, IIS and SQL were simply used as an example.

**Note: Domain=realm.

***Note: Identity=account

 

I feel so much better now that I've posted this.  I have a feeling it will be as good as aspirin in alleviating some headaches out there.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Thank you! This was very usefull.