New features in Active Directory Domain Services in Windows Server 2012, Part 10: Improved KCD

Kerberos Constrained Delegation (KCD) is a feature in Windows Server that has been available since Windows Server 2003 through Kerberos extensions. It allows for clients to let an application or a service connect to other servers or services on its behalf. A client might use a front-end server, for example, that then needs to authenticate with a back-end server. The front-end server needs to authenticate to the back-end server with the client's credentials, because if it authenticated under its own service account, it would have different authorization than the user.

The Kerberos protocol includes a mechanism called delegation of authentication. When this mechanism is used, the client delegates authentication to the front-end server by informing the Key Distribution Center (KDC) that the front-end server is authorized to act on behalf of a specified Kerberos security principal, such as a user that has an Active Directory directory service account. The front-end server can then delegate authentication to the back-end server.

In the Windows 2000 delegation model, the Key Distribution Center (KDC) does not limit the scope of services that a Kerberos principal's identity can be delegated to. That is, after a service account is trusted for delegation, it can request service tickets on behalf of a given user to any other service accounts. With Kerberos Constrained Delegation (KCD), on the other hand, domain administrators can configure service accounts to only delegate to specific sets of service accounts. In Windows Server 2003 and higher, the ms-DS-Allowed-To-Delegate-To attribute is added to service accounts to help enforce KCD. This attribute lists the service principal names (SPNs) of other service accounts that a given service account is allowed to delegate to. When a Windows Server KDC processes a service ticket request via the constrained delegation extension, it will verify that the target service account is one that is listed in the ms-DS-Allowed-To-Delegate-To attribute.

Schematically, Kerberos Constrained Delegation (KCD) looks like:

        

What's New

Kerberos Constrained Delegation in Windows Server 2012 now supports cross-domain and cross-forest authentication scenarios.

Under the hood, Kerberos Constrained Delegation in Windows Server 2012 has moved the authorization decision to the resource-owners and this permits the back-end servers to authorize which front-end service accounts can impersonate users against their resources.

Also, there is a change in the required privileges, since you no longer need Domain Admin privileges to configure and manage Kerberos Constrained Delegation. It merely needs administrative privileges to the back-end service account.    

Requirements

If you want to use Kerberos Constrained Delegation (KCD) in cross-domain or cross-forest scenario, you need to fulfill the following requirements:

• Computers used by colleagues to access the service need to run Windows XP or later. These computers need to be domain-joined to a domain with Windows Server 2003-based Domain Controllers
• Front-end servers need to run Windows Server 2012
• One or more Domain Controllers in the front-end domain need to be running Windows Server 2012
• One or more Domain Controllers in the back-end domain need to be running Windows Server 2012  and the whole back-end server forest needs to prepared with the Windows Server 2012 schema update
• Back-end server accounts need to be configured with accounts that are permitted for impersonation
• Windows Server 2012 schema update in back-end server's forest
• Back-end application servers need to be running Windows Server 2003 or later