I can't see how to grant Kerberos Constrained Delegation for a service identified by a Managed Service Account.
I have a Windows 2008 R2 functional level single domain single forest, two 2008 R2 SP1 DCs, newly built.
I have installed my new SQL Server 2012 instance on server "SQL-01" to run in a Managed Service Account, "MsaSqlServer".
All good so far.
The Managed Service Account has attributes: cn=MsaSqlServer sAMAccountName=MsaSqlServer$ servicePrincipleName=MSSQLSvc/SQL-01.fasttrac.local,MSSQLSvc/SQL-01.fasttrac.local:1433
I now have an IIS Website on server APP-02 (in the same domain). I can set up constrained delegation in ADUC quite easily on the Delegation tab of the Properties dialog for the webserver, APP-02, for e.g. file access to a file server, by clicking add, finding the file server and selecting the "cifs" service type. However, I want to have delegation for SQL Server, so I click Add, find the SQL server, SQL-01, and there's no SQL or MSSQLSvc or similar service. That's normal, because the MSSQLSvc SPN is registered to the the account that SQL Server runs as, and it would only appear on the computer account if it ran as Local System. With SQL 2008 running under a normal domain user account, I simply enter that domain user name and select the MSSQLSvc SPN and off we go, however I can't get the "Select Users or Computers" box to find my Managed Service Account (with or without the $ suffix).
I think I can get the required effect by hacking the msDS-AllowedToDelegateTo attribute of the web server (APP-02) AD object directly and adding "MSSQLSvc/MsaSqlServer" and "MSSQLSvc/MsaSqlServer.domain.local", but I don't know whether to include the training $ (i.e. "MSSQLSvc/MsaSqlServer$") and really, I though the GUI should work. Does anyone know what I should do?
0 Answers