Setting Kerberos delegation on AD user account from Linux via Active Roles


I am wondering if anyone has a solution or ideas on how to use Active Roles to set values for msds-AllowedToDelegateTo attributes (used in Kerberos Delegations ) for an 3rd party application's Active Directory Service account - setting the values on its own SELF account. We want to be able to automate this from Linux host (RHEL7) where we are also using VAS. We would like to avoid allowing Privilege on AD DCs of "Enable computer and user accounts to be trusted for delegation" to the 3rd party app's AD account, but we are ok to allow this via the AR override account.

On Windows I could consider using the MSI install of the ADSI components, but don't know I have this option for the Linux host. I'd like to be able to help the other team finding a scripted on RHEL7 solution but not sure what options might be possible here.


Top Replies

  • Hi  

    I am not aware of any Active Roles ADSI components available for Linux.

    In terms of the msDS-AllowToDelegatedTo attribute, are you expecting an application (on Linux) to get this, or is it going to be some Adminsitrator from Linux (WI the web interface)?

    If its just view the WI, you could expose the msDS-AllowedToDelegatedTo attribute in a custom form, and restricted it to certain users, and just create an AT which grants access to write those attribtues. 

    However its not 100% clear what you're trying to do and where from.

    Kind regards


  • Hi Stu

    We want the application team to be able to update the values of a service account by some means from RHEL. Since I posted this we have had progress, and using python they have been able to send almost templated SPML to our Active Roles servers to update the values. We have setup Access template Links in AR to allow writing to these attributes

Reply Children