Setup kerberos delegation automatically

I have a web app that uses some backend servers (UNC, HTTP and SQL). To get this working I need to configure ServicePrincipalNames for the account running the IIS AppPool and then allow kerberos delegation to the backend services.

I know how to configure this through the "Delegation" tab of the AD Users and Computers tool.

However, the application is going to be deployed to a number of Active Directory environments. Configuring delegation manually has proved to be error prone and debugging the issues misconfiguration causes is time consuming. I'd like to create an installation scri开发者_运维问答pt or program that can do this for me.

Does anyone know how to script or programmatically set constrained delegation within AD?

Failing that how can I script reading the allowed services for a user to validate that it has been setup correctly?

OK, after much digging on the internet and some testing, I've got a way forward.

The following code is c#. Setting an SPN for a user or computer can be achieved via the setspn utility.

Alternatively, the following C# code can do the same:

DirectoryEntry de = new DirectoryEntry("LDAP://"+usersDN);

if (!de.Properties["servicePrincipalName"].Contains(spnString))
{
    de.Properties["servicePrincipalName"].Add(spnString);
    de.CommitChanges();
}

To set constrained delegation:

if (!de.Properties["msDS-AllowedToDelegateTo"].Contains(backendSpnString))
{
    de.Properties["msDS-AllowedToDelegateTo"].Add(backendSpnString);
    de.CommitChanges();
}

If the user has had non-constrained delegation enabled, you may need to turn this off before enabling constrained - but I didn't fully test this scenario.