Enable Resource-based Constrained Delegation with S4U2Self
Enable Resource-based Constrained Delegation with S4U2Self
Make sure that the forwardable flag is set to true in libdefaults section of krb5.conf file.
You can configure Resource-based Constrained Delegation only through powershell commands. Make sure powershell is started by a user with required privileges to change the properties of KDC accounts, preferably a KDC administrator.
To enable Resource-based Constrained Delegation with S4U2Self, perform the following steps every Informatica keytab account on the KDC server:
Right-click the user account and select
Properties
.
The
Properties
dialog box appears.
On the
Delegation
tab, select
Do not trust this computer for delegation
.
Click
Apply
.
Run the following command to set the
PrincipalsAllowedToDelegateToAccount
attribute:
$IntermediateService = Get-ADUser -Identity <Intermediate server account's samAccountName> -Properties *
Set-ADUser -Identity <Targer server account's samAccountName> -PrincipalsAllowedToDelegateToAccount $IntermediateService1, $IntermediateService2, $IntermediateService3
You can use comma separated values to add multiple accounts in the
PrincipalsAllowedToDelegateToAccount
attribute.
If you want to unset the
PrincipalsAllowedToDelegateToAccount
attribute, run the following command:
Set-ADUser -Identity <Targer server account's samAccountName> PrincipalsAllowedToDelegateToAccount $null
By default, powershell command output shows four values in the service principal list in the output. Set this parameter to -1 to show the complete list of principals.