Score:2

How to automatically enable Kerberos delegation to Windows Admin Center on all servers?

ng flag

We want to use Windows Admin Center to manage our environment; WAC will run on a dedicated server in gateway mode, and administrators will manage servers through WAC.

This requires setting up Kerberos constrained delegation to allow WAC to operate on the servers on behalf of the users; this is well documented, and works this way:

$wac = Get-AdComputer "WAC Server Name"
$server = Get-AdComputer "Managed Server Name"
Set-ADComputer $server -PrincipalsAllowedToDelegateToAccount $wac

Of course, this can easily be scripted for multiple servers.

However, what we would like is for this to be automated: when a new server is joined to the domain, the WAC gateway should automatically be granted a Kerberos delegation to manage it.

Unfortunately, this doesn't seem to be an actual ACL on the computer object; thus it doesn't seem possible to handle this with an ACL at the OU or domain level. Also, there doesn't seem to be any GPO setting for this (or at least I couldn't find it).

How can we automatically enable Kerberos delegation to the WAC gateway for all computers when they are joined to the domain?

SamErde avatar
gg flag
Wish I had time right now to write up a full answer. There are probably several ways that this can be accomplished, but here's a quick and admittedly crude one that comes to mind and might inspire you: on your DCs, look in the Security log for event ID 645 (Computer Account Created) and attach a Scheduled Task that pulls the new computer account name into the script that you have noted above. It's not the best way, but...something?!
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.