In June I posted an article called Configuring Kerberos Constrained Delegation for Hyper-V Management. I covered the concept of Kerberos delegation and evolution into constrained delegation. Obviously, the article was mainly focused on configuring constrained delegation for Hyper-V management in order to be able to manage Hyper-V in a remote fashion. I ended the article with a PowerShell script called Set-KCD.ps1 and Active Directory cmdlet to configure KCD and verify successful delegation.
I primarily use PowerShell for management and therefore use my own scripts. Using Set-KCD worked well but it lacked certain capabilities which resulted in performing additional steps from the PowerShell command line. Like I mentioned in the article, it was nothing fancy or advanced but it worked in its limited way.
My environment is being reinstalled from time to time. This time it was because of the availability of the release of Windows Server 2012. Sometimes, if possible, I use upgrades. But upgrade was not possible so I reinstalled the environment. I could have upgraded Active Directory but a reinstallation and reconfiguration was actually even faster in my simple environment.
So I needed to configure KCD for my hosts and noticed this script could be improved. I rewrote the script such that it would be much easier to use. For example using a distinguished name for the Active Directory computer object is not intuitive and also requires additional Active Directory cmdlets to find the object path. The computer object can be located anywhere in Active Directory and will usually not exist in the Computers container.
The parameter names for the computers where also not intuitive. The computer you configure to be trusted for delegation was called ‘AdDN’ (the Active Directory Distinguished Name) and the computer you specify to trusted delegation to was called HostFQDN. So I changed this into TrustedComputer and TrustingComputer respectively. The thought was this: you configure the computer object in Active Directory to be trusted for delegation of your credentials to a specific computer for a specific service type. So TrustedComputer is self explanatory here. The computer you specify to allow delegation to for a specific service type is basically the computer that trusts the TrustedComputer for delegation. Although the graphical tools in Active Directory don’t use these terms, I think it is the easiest to understand using these terms when configuring KCD. A small change has been made to the service parameter which is now called ServiceType since this is what it really refers to.
I removed the requirement for fully qualified names. You must be logged on as domain administrator so I get the domain name from the logon session. The result is that the command has become much simpler and easier to understand. Referring to the picture in the previous post, when configuring KCD for vmhost1 to be trusted for CIFS to vmhost2, the command looks like this:
./Set-KCD –TrustedComputer vmhost1 –TrustingComputer vmhost2 –ServiceType CIFS –Add
or just type:
./Set-KCD vmhost1 vmhost2 CIFS
This is much simpler compared to the old command syntax:
./Set-KCD –AdDN “cn=vmhost1,cn=computers,dc=contoso,dc=com” –HostFQDN vmhost2.contoso.com –Service CIFS –Add
Finally, I also wanted to be able to configure delegation records for multiple computer objects in one step and to be able to verify the settings so I added the option to import the settings from a file.
The following switches are available:
I will not go into the details of each. Because of the built-in help of the script you can get the syntax, examples or full description using ‘help ./Set-KCD’, ‘help ./Set-KCD' –examples’ or ‘help ./Set-KCD –full’.
There are four new switches; –Clear, –Import, –List, –ListIFromFile.
Clear will simply clear all delegation records of the TrustedComputer.
List displays the delegation records currently configured for the TrustedComputer.
ListFromFile displays the delegation records for all TrustedComputer entries in the File.
Import enables you to configure delegation records for multiple trusted computers at once. This is one I use for my environment to configure KCD using a configuration file. The –File property lets you specify a path to a CSV file containing the records for the TrustedComputer, TrustingComputer and ServiceType. The format of the file is documented in the help and a sample file is included in the Set-KCD zip file.
Below is the updated script. It also contains some basic error handling but it won’t check your privileges.
This is for reference only. You can download the script and sample configuration file here.
Thanks. You saved us a lot of development, testing and manual entries on this topic.