Are you trying to increase security by removing extranious permissions from service accounts but growing a little tired of having to manually assign SPN’s to them?If so get to work with ADSIEdit.
- Open ADSI edit and connect to the default naming context.
- Navigate through the structure to your service account.
- Right click and select properties.
- Go to the security tab.
- Click Advanced.
- Find the SELF user principle and click Edit.
- Go to the Properties tab and ensure Read servicePrincipalName and write servicePrincipalName are selected.
Once done your service account will automatically register its own SPN and you should no longer have issues with Kerberos delegation.