Problem on configure delegation in cross domain AD account

Question

In our test environment there are 2 domains. One-way trust is setup and then we changed to two-way still not work.

I want to setup delegation on domainA/userA. In Delegationtab, I choose Trust this user for delegation to specificed services only. Then in Services to which this account can present delegated credentials I try to find domainB/ssrs (the service account for SQL reporting service) but I cannot find any user under domainB. However I can setup delegation between domainB/userB with domainB/ssrs.

I don't have experience in delegation or kerberos. Could you advice cross domain delegation is possible or not? If yes, what should I do?

Answer 1

Standard constrained delegation cannot be done across domains. What you need is Resource-based Constrained Delegation. The gist of it is that the decision of who is allowed to delegate to whom is reversed, so the one granting the privilege is actually the service that's getting delegated to, as opposed to the service trying to do the delegation getting to decide.

You cannot do this from the UI. It must be done through PowerShell.

$frontEndService = Get-ADUser -Identity "web01$"

Set-ADUser "backend01$" -PrincipalsAllowedToDelegateToAccount $frontEndService

With regular constrained delegation web01$ gets to dictate that it can delegate to backend01$ and backend01$ has no say in the matter. This is fundamentally strange for some environments, so resource-based constrained delegation flips it so backend01$ can say that only web01$ is allowed to delegate to me.

The side effect with this is that now you can peer across the domain boundary and allow services to delegate.