Next on the list is to setup SCOM WebConsole settings for Kerberos AD Delegation.  I attribute Kerberos AD delegation as the Navajo and Comanche helped allies in WW2, encrypted and encoded communication.  Time to make the donuts! (to setup SCOM WebConsole settings for Kerberos AD Delegation)

If you’re improperly setup – you’ll flag on STIG configs V-243470, V-243478

Documentation

https://www.sentinelone.com/blog/detecting-unconstrained-delegation-exposure

https://pentestlab.blog/2022/03/21/unconstrained-delegation/

Outline

Assess affected unconstrained delegation servers in environment

Configure delegation on SCOM and/or PowerBI servers

Assess affected unconstrained delegation servers in environment

From a computer, with ADUC, and RSAT feature installed, search for relevant account(s) used (Read Only RO access displayed below).

Alternatively, from PowerShell > run this command to see affected servers (much wider list, unless you add a where clause)

Get-ADComputer -LDAPFilter

“(userAccountControl:1.2.840.113556.1.4.803:=524288)”

Configure delegation on SCOM and/or PowerBI servers

Take the list of affected servers, to take action.  Use the steps below to configure relevant SCOM or PowerBI servers.

Configure SCOM Web Console server
With domain administrator (DA or Tier0) rights, open the Active Directory Users and Computers MMC snap-in.

From ADUC > change ‘Find’ drop-down to Computers

In the Computer name text box, enter <SCOMWebConsoleServerName>  and  click search

Right click the server in the results box > Select Properties.

Select the Delegation tab.

Select Trust this computer for delegation to specified services only > Use any authentication protocol.

Under Services to which this account can present delegated credentials, select Add.

In the new dialog box, select Users or Computers.

Enter <SCOMWebConsoleServerName>, and then select OK.

Click the Add button to add services

Select the w3svc and www processes

Select OK.

ADUC SCOM Lab server choosing process

Verification of delegation settings

Depending on replication times for the forest, wait and later reboot <SCOMWebConsoleServerName> to have settings take effect.

PowerBI Report Server

With domain administrator (DA or Tier0) rights, open the (ADUC) Active Directory Users and Computers MMC snap-in.  NOTE: RSAT tools recommended to be installed on SCOM Management Server(s)

In the Search text box, enter PowerBI service account <Example can be SCOMDataAccessReader Account> and click search

Right-click the PowerBI service account <Example can be SCOMDataAccessReader Account>,  select Properties.

Select the Delegation tab.

Select Trust this computer for delegation to specified services only > Use any authentication protocol.

Under Services to which this account can present delegated credentials, select Add.

In the new dialog box, select Users or Computers.

Enter the service account for the data source, and then select OK.

Select the SPN that you created for <PowerBI Report Server Name>

Select both as FQDN and the NetBIOS names are in the SPN

Select OK.

Back to ADUC (AD Users and Computers), change Find drop-down to Computers

Enter <PowerBI Report Server Name>, and click search

Right click the server in the results box > Select Properties.

Select the Delegation tab.

Select Trust this computer for delegation to specified services only > Use any authentication protocol.

Under Services to which this account can present delegated credentials, select Add.

In the new dialog box, select Users or Computers.

Enter <Example can be SCOMDataAccessReader Account>, and then select OK.

Click the Add button to add services

Select the HTTP process

Select OK.