Enable Kerberos Constrained Delegation for the AD Connector Service account - Access Amazon WorkSpaces with Common Access Cards

This whitepaper is for historical reference only. Some content might be outdated and some links might not be available.

Enable Kerberos Constrained Delegation for the AD Connector Service account

To use smart card authentication with AD Connector, you must enable Kerberos Constrained Delegation (KCD) for the AD Connector Service account to the Lightweight Active Directory Protocol. (LDAP) service in the on-premises AD directory.

Kerberos Constrained Delegation is a feature in Windows Server. This feature enables administrators to specify and enforce application trust boundaries by limiting the scope where application services can act on a user’s behalf. For more information, see Kerberos constrained delegation.

  1. Use the SetSpn command to set a Service Principal Name (SPN) for the AD Connector service account in the on-premises AD. This enables the service account for delegation configuration. The SPN can be any service or name combination, but not a duplicate of an existing SPN. The -s checks for duplicates.

  2. Open an elevated command prompt using “Run as administrator”.

  3. Run this command:

    setspn -s my/spn service_account

    The following figure shows the successful result of running of the SetSpn command.

    A screenshot of the SetSpn command running successfully.

    SetSpn command running

  4. In AD Users and Computers, right-click on the AD Connector service account and choose Properties.

  5. Choose the Delegation tab.

  6. Choose the Trust this user for delegation to specified service only and Use any authentication protocol radio buttons.

  7. Choose Add, Users or Computers, and then select Advanced.

  8. Select Find Now to list all available resources, and then find your domain controller (DC) in the list.

    A screenshot with a list of available resources.
    Finding the domain controller in a list of resources
  9. Select your domain controller and then choose OK to display a list of available services used for delegation.

  10. Choose the LDAP service type that has a description of your forest and select OK.

  11. Click OK again to save the configuration.

  12. Repeat this process for other domain controllers in AD. Alternatively, you can automate the process using PowerShell.