I have an Active Directory with a KDC running on Windows Server 2012.
At the moment, every user can request service tickets for every service from the TGS. I'm looking for a solution where the KDC only grants a service ticket for service X if the user is in group Y or something similiar.
Is that possible with Active Directory?
Best Answer
yes, either remove the "allow to authenticate" (and add the specific group) permission or deny that permission as appropriate.
By default all users in the same domain have allow to authenticate.
Without “Allowed to Authenticate” permission to a target computer (or service account, depending on the service), the KDC will not issue a service ticket to that subject (user) for that service (SPN).