Configure Trust for Delegation in Active Directory

Example of managing trust for delegation in Active Directory for Windows hosts using the win_resources variable in the Windows role.

Tags:

Projects: c2platform/phx/ansible , Ansible Win Role ( c2platform.wincore.win)

This example demonstrates how to configure trust for delegation in Active Directory (AD) for Windows hosts. It uses the win_resources variable from the Ansible Win Role ( c2platform.wincore.win) , set in group variables to enable delegation for Kerberos authentication. This allows the computer to impersonate users for services.

The screenshot below shows the AD computer properties for PXD-WIN1 as an example. On the Delegation tab, the option Trust this computer for delegation to any service (Kerberos only) is selected.

The configuration example below is from the PHX reference implementation c2platform/phx/ansible . It contains group variables for the Ansible group win (for Windows hosts). It uses the computer module to set the trusted_for_delegation property for each Windows host. Note that this must be executed on the AD controller, so the task delegates to pxd-ad.

group_vars/win/ad.yml

18win_resources:
19  trusted-for-delegation:
20    - name: "{{ inventory_hostname | upper }}"
21      module: computer
22      trusted_for_delegation: true
23      delegate_to: pxd-ad
24      when: "{{ inventory_hostname != 'pxd-ad' }}"

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

Last modified January 31, 2026: vagrant install sudo wget → wget OK-2409 PHX-361 PHX-362 (b7af097)