Constrained delegation support (Credential guard support)

Version 5

    Verified Product Versions

    AppSense DataNow 4.2AppSense File Director 4.3

    Introduction

    Ivanti File Director 4.2 expands its Kerberos SSO (Single Sign-on) support to include the ability to constrain delegation of the Kerberos pre-authentication account to the back end resource (file servers) used to hold the user's map points. This is an enhancement to the security model, and also an important change to support Windows 10+ endpoints running credential guard (https://technet.microsoft.com/en-gb/itpro/windows/keep-secure/credential-guard

    Protect derived domain credentials with Credential Guard (Windows 10)  )

     

    Detail

    There are several prerequisites to be aware of that the environment should be aligned to prior to configuring for Kerberos Constrained Delegation:

     

    - Microsoft require that the domain/forest functional level be at least 2003 in order to support Protocol Transition - We test/support Windows 2008R2 and Windows 2012 R2 functional levels

     

    - If the users and resources are in different forests, there must be a 2 way transitive forest trust configured (https://community.ivanti.com/docs/DOC-47492).

     

    - The Forests should be configured to support Kerberos constrained delegation/protocol transition (This may require the deployment of a Forest search order policy if not already present - see Configure Kerberos Forest Search Order (KFSO) - note, configuring a 3 part SPN will not suffice)

     

    - If the users and resources are in different domains, there must be a 2 way transitive trust relationship established

     

    - The maximum Kerberos token size must be ascertained and configured in the admin console - What’s in a Token | Ask the Directory Services Team  -Note base64 encoding adds around 1/3 extra overhead to the actual size of the token - be sure to allow for this when configuring the maximum size.

     

    - Clock accuracy must be ensured on endpoints, appliances (see admin guide for configuring NTP), File servers and domain controllers

     

    - the SPN (Service Principal Name) used by File Director clients must point to a DNS A record, not a CNAME

     

    - Kerberos AES128 encryption must be allowed in KDC policy (as per default)

     

    - Endpoints must have connectivity to a domain controller as well as the File Director appliance to acquire a service ticket

     

    - File Director server version must be 4.2+

     

    The differences between unconstrained and constrained delegation are demonstrated in the following screenshots:

     

    1. Unconstrained:

    Screen Shot 2017-04-03 at 14.31.57.jpg

     

    2. Constrained:

     

    Screen Shot 2017-04-03 at 14.32.30.jpg

     

    Note, every file server that will host a map point must be listed as a delegated service for CIFS as per the screenshot above.

    For full configuration details, please refer to the current admin configuration guide.