Skip to main content

Articles in this section

See more
Print

How to use Kerberos delegation with Cayosoft Administrator

  • Updated

How to use Kerberos delegation with Cayosoft Administrator

Kerberos delegation allows an Active Directory (AD) service to impersonate a user or computer when accessing another service on its behalf. In Cayosoft Administrator, delegation management is designed to mirror Active Directory Users and Computers (ADUC) while adding auditing, policy enforcement, and web-based administration without bypassing or overwriting permissions defined by AD administrators.

This article explains delegation prerequisites, supported delegation states, Web Portal behavior, underlying AD attribute changes, and audit considerations for both AD computer and AD user objects.

Active Directory requirements

Before configuring delegation for a user or computer object, ensure the following prerequisites are met:

  • The object exists in Active Directory.

  • The administrator performing the change has sufficient AD permissions.

  • Role-based delegation and security group restrictions defined in AD remain enforced; Cayosoft Administrator does not elevate or broaden privileges.

Service Principal Name (SPN) requirement for users

IMPORTANT: An AD user object must have a servicePrincipalName (SPN) to be eligible for Kerberos delegation.

  • Without an SPN, the Delegation tab is not available in the object properties.

  • This behavior matches ADUC and is required by Kerberos authentication.

Adding an SPN through Web Portal

If the user object does not already have an SPN, you can add one through a Web Action configuration:

  1. Navigate to Configuration > Web Portal > Web Actions > Active Directory > Properties.

  2. In the Properties Web Action for Users, add a custom attribute: Name: servicePrincipalName.

  3. Go to Web Portal > User Properties > Custom.

  4. Enter the required SPN value under the newly created custom attribute.

  5. Save the changes.

After the SPN value is accepted:

  • The Delegation tab becomes available in the user properties.

  • The user object is eligible for delegation configuration.

Delegation management in Web Portal

Delegation settings are available in:

  • Home > Active Directory > AD Computers > Properties

  • Home > Active Directory > AD Users > Properties

A new Delegation tab appears after the Member Of tab when the object supports delegation.

Delegation options

The Delegation tab includes three primary radio button options (wording adapts automatically for user or computer objects):

  1. Do not trust this computer/user for delegation

  2. Trust this computer/user for delegation to any service (Kerberos only)

  3. Trust this computer/user for delegation to specified services

Constrained delegation options

When Trust this computer/user for delegation to specified services is selected, additional controls are enabled:

  • Use Kerberos only

  • Use any authentication protocol

Service list and SPN management

Service list table

For constrained delegation, a table displays delegated services with the following columns:

  • Service Type

  • User or Computer

  • Port

  • Service Name

  • Domain

View modes

  • Default view: Displays the resolved host computer or user account name.

  • Expanded view: Displays raw SPN strings stored in the msDS-AllowedToDelegateTo attribute.

An Expanded checkbox below the table controls this behavior. If expanded view is not supported by the UI, it is shown by default.

Managing services

• Add: Add new SPNs to the delegation list

• Remove: Remove selected SPNs from the list

SPN search and selection are restricted to the same scopes enforced by ADUC.

Note Services are added or removed by manipulating SPNs on the delegator (target) user or computer account.

Update and Cancel behavior

At the bottom of the Delegation tab:

  • Update: Saves changes

  • Cancel: Discards changes and closes the modal

Clearing services automatically

Consistent with ADUC behavior:

  • If an object has a populated Services list and the delegation state is changed to:

    • Do not trust for delegation, or

    • Trust for delegation to any service (Kerberos only)

  • The msDS-AllowedToDelegateTo list is cleared automatically when you click Update.

This applies to both computer and user objects.

Change history and auditing

Every time you click Update:

  • A Change History entry is created.

  • The entry records:

    • The previous delegation state

    • The new delegation state

    • Added or removed services (for constrained delegation)

This ensures audit compliance without expanding delegated privileges.

Attribute policy support

For both AD Computer and AD User properties:

  • The Delegation tab supports Attribute Policy.

  • Administrators can:

    • Hide the tab

    • Make it read-only

This allows controlled exposure of delegation settings based on organizational security requirements.

Learn more in: Attribute policies .

© Copyright 2013-2026 Cayosoft Inc. All rights reserved.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request
Return to top

Related articles

Comments

0 comments

Please sign in to leave a comment.