Constrained Delegation in Windows

The majority of sites around the web discuss constrained delegation in terms of web applications, SQL Server, or specialty services. There's not a whole lot of discussion on programmatic delegation, and I have yet to find a step-by-step guide for writing code that wants to take advantage of constrained delegation. I thought I'd write one.

I've created a scenario where a domain user runs a program that sends messages to a message receiver program. When the receiver gets a message, it impersonates the sender and then displays the message.

Because I'm going to need an Active Directory domain environment, I've created 3 virtual machines:
  1. dc.example.com - windows server 2008 R2 domain controller
  2. example-server.example.com - windows server 2008 R2 app server
  3. wkstation.example.com - windows 7 workstation
I've set up a few accounts in the domain:
  1. John@example.com - user account - will be sending messages
  2. msgSvc@example.com - service account - will be receiving messages
To the right, you'll see that I set the msgSvc account up so that the password can't be changed and it never expires. This isn't a best practice at all - this is just me trying to create a working environment quickly.

With Windows Server 2008 R2 domains, it's possible to create "managed service accounts", which will set and change your password for you as well as create and update Service Principal Names (SPNs) on your behalf. I didn't do that for this blog post because there's no GUI to create or manage service accounts yet and I didn't want to get into powershell scriptlets. If you're interested, there's a step-by-step guide over here. In this blog post, I refer to msgSvc@example.com as a "service account" even though it is actually just a normal user account. It is definitely not a "managed service account."

The service account we've just created will be the account running the message receiver program on the application server (example-server.example.com). In order for the service account to authenticate itself as the "example" message receiver service, we must set a service principal name (SPN) onto the account. Look at the image below to see how this is done.
setspn -U -A example/example-server.example.com@EXAMPLE.COM msgSvc
Now that we've mapped the service account to the service principal name, we can configure constrained delegation to that service.

On the domain controller (dc.example.com), we open up Active Directory Users and Computers. In the computers folder, we locate example-server and open its properties page. One of the tabs available will be "Delegation". That tab contains radio buttons, including the choice: "Trust the computer for delegation to specified services only". Keep "Use kerberos only" checked, and then click the "Add" button and specify the msgSvc account.

That's it for part 1! I now have an environment, accounts, and settings that will allow constrained delegation for my message passing programs. Tomorrow, I will post Part 2, which will show the code that sends signed and encrypted messages between two mutually authenticated programs. The message receiver will then impersonate the sender and display the message.

Comments

Post a Comment

Popular posts from this blog

Establishing a SSL connection to RabbitMQ using the .NET client

Image
First, I'm making the assumption that you've read, re-read, and followed the SSL tutorial on rabbitmq's website .  If you haven't done everything that it's instructed you to do (including adding your certificates to the Windows Certificate Store using certmgr), none of this code is going to work for you.  If you have, this code should "Just Work™". Here's the complete code file that works for me.  You will (obviously) need to change the names of the servers, and the thumbprint of your certificate. Note that this code only uses your client and server's certificates to establish a secure connection.  You are still logging in as guest.  I will show you how to use your client certificate to authenticate yourself below. using System; using System.Linq; using System.Security.Cryptography.X509Certificates; using System.Text; using RabbitMQ.Client; using RabbitMQ.Util; namespace RabbitSslTest {     class Program     {         static void Main(string[
Read more

Join CentOS to a Windows Domain

Image
3/26/2012 update: I've now done this on CentOS 6.2 as well. Since I've had to do this a number of times in the last few months, I thought I should post this here so I can't forget it. Here's some specifics on what I'm using: Windows Server 2008 R2 As dc1.devexample.com (192.168.0.201) As Primary Domain Controller of devexample.com As Windows Server 2008 R2 forest functional level CentOS 5 / CentOS 6 As app01.devexample.com (192.168.0.203) Samba 3.5.6 / Samba 3.6.3 An internet connection. If you are not going to have an internet connection, you'll want to pre-download the files you'll need. I suggest using 'yum downloadonly' to get them. I've spun up a brand new CentOS 5.5 VM and logged in. Oh man, does anyone else just love logging into a fresh install? Is my nerd showing? Sorry! The first thing I need to do is take on great responsibility, so for that I'm going to need great power: let's add my account to the su
Read more

Invalid provider type specified when accessing X509Certificate2.PrivateKey

Today, I was attempting to digitally sign a byte array with my private key so that I could produce an event on the event bus and a consumer could ensure that the message came from me and was not modified while in transit. public byte[] SignData(byte[] data) {   X509Store certStore = new X509Store(StoreName.My, StoreLocation.CurrentUser);   certStore.Open(OpenFlags.ReadOnly);   // the DN I get is CN=name,CN=Users,DC=example,DC=com   // but the DN on the cert has spaces after each comma   string spacedDN = UserPrincipal.Current.DistinguishedName.Replace(",", ", ");   X509Certificate2 cert = certStore.Certificates     .Find(       X509FindType.FindBySubjectDistinguishedName,       spacedDN,       true)     .OfType<X509Certificate2>()     .FirstOrDefault();   if (null == cert) { // handle no cert }   RSACryptoServiceProvider rsaProvider = cert.PrivateKey as RSACryptoServiceProvider;   return rsaProvider.SignData(data, n
Read more