Setting Kerberos delegation on AD user account from Linux via Active Roles

Question

Hello 
 
 I am wondering if anyone has a solution or ideas on how to use Active Roles to set values for msds-AllowedToDelegateTo attributes (used in Kerberos Delegations ) for an 3rd party application's Active Directory Service account - setting the values on its own SELF account. We want to be able to automate this from Linux host (RHEL7) where we are also using VAS. We would like to avoid allowing Privilege on AD DCs of "Enable computer and user accounts to be trusted for delegation" to the 3rd party app's AD account, but we are ok to allow this via the AR override account. 
 On Windows I could consider using the MSI install of the ADSI components, but don't know I have this option for the Linux host. I'd like to be able to help the other team finding a scripted on RHEL7 solution but not sure what options might be possible here. 
 
 Thanks

Stu.Pollock · Accepted Answer

Thanks glenn colville 
 Nice option, yes as long as the SPML schema files include the appropriate attribute you want to changed, you can do it via that. 
 This won't help you now, but may help you in future. It was announced at vUnite that a RestAPI servers is being released for Active Roles ( https://www.youtube.com/watch?v=VI6v5C1cWSQ ), which might be better for you in future (if you've only installed the SPML provider just for this task). 
 If there any thing else you needed assistance with?

glenn colville · Answer

Hi Stu 
 We want the application team to be able to update the values of a service account by some means from RHEL. Since I posted this we have had progress, and using python they have been able to send almost templated SPML to our Active Roles servers to update the values. We have setup Access template Links in AR to allow writing to these attributes

Endpoint Privilege Management

Setting Kerberos delegation on AD user account from Linux via Active Roles

Top Replies