Switching application to use Constraint based kerb

I have an old application that we setup with delegation based kerberos. Everything with the application worked fine till we tried it out on one of our new Windows 10 machines.

After awhile, we finally figured out that Credential guard is not playing nice with this old application.

According to https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-considerations

Kerberos Considerations

When you enable Windows Defender Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process. Use constrained or resource-based Kerberos delegation instead.

We have to switch our implementation to use Constrained based Kerberos. I'm at a bit of a loss on how to do that.

Our current SPN are set against the web application name - (Scenario 2 from this link - https://support.microsoft.com/en-ca/help/929650/how-to-use-spns-when-you-configure-web-applications-that-are-hosted-on)

setspn -a http/WebSiteName webServerName
setspn -a http/WebSiteName.domain.com webServerName

The application only talks to Active Directory. No database is involved. The site is currently running the application pool with a domain account.

When I try commands like

$comp = Get-ADComputer DcOrAnotherComputer
Set-AdComputer -identity webServerName -PrincipalsAllowedToDelegateToAccount $comp

I get the following powershell error.

Set-AdComputer : The attribute cannot be modified because it is owned by the system
At line:2 char:1
+ Set-AdComputer -identity hql-dmeds01 -PrincipalsAllowedToDelegateToAccount $comp
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (hql-dmeds01:ADComputer) [Set-ADComputer], ADException
    + FullyQualifiedErrorId : ActiveDirectoryServer:8369,Microsoft.ActiveDirectory.Management.Commands.SetADComputer

I've boiled down the application to an example that works on Win7/win2012 but not on win10 with credential guard.

<%@ Language=VBScript %>
<%


' Create the connection the AD
    set con = createobject("ADODB.connection")
    set Com = createobject("ADODB.command")
    con.Provider = "ADsDSOObject"
    con.Open "Active Directory Provider"
    Set Com.ActiveConnection = con

    dim ldapCall 
    ldapCall = "SELECT ADsPath, distinguishedname, displayName"   &_ 
                   "  FROM '" & "LDAP://DC=mydomain,DC=com'  " &_
                      " WHERE objectClass = 'group' AND name = 'SomeTestGroupName'" & _
                     " ORDER BY displayName "
    'response.write ldapCall

' Execute the search call
    Com.CommandText = ldapCall
    Set rs = Com.Execute

    if not(rs.EOF) then
        response.write "SomethingHappended<br />"
    else 
        response.write "Why don't you work???"
    end if

%>

Update 1 - Answer to T-Heron's question Here are the results of doing

setspn -q http/WebSiteName.domain.com  - 
Checking domain DC=Mydomain
no such SPN found.

if i do

setspan -q http/WebSiteName- I get the following

Checking domain DC=Mydomain
CN=Webserver,OU=OuLocation,DC=MyDomain
        http/WebSite.myDomain
        http/WebSite
        CmRcService/Webserver
        CmRcService/Webserver.myDomain
        WSMAN/Webserver.myDomain
        TERMSRV/Webserver.myDomain
        RestrictedKrbHost/Webserver.myDomain
        HOST/Webserver
        WSMAN/WSMAN/Webserver
        TERMSRV/WSMAN/Webserver
        RestrictedKrbHost/WSMAN/Webserver
        HOST/Webserver

update 2- the reason the -q in update 1 didn't work was that the spn was set to http/WebsiteName.domain.com and not http/WebsiteName.a.b.domain.com (which is what i was trying)

So all the -q commands work now. But the problem persists

Here's the screenshot of the delegation tab.

Update 3 -

Here's a new picture of the delegate tab I tried it both with "Use Kerberos Only" and "Use any authentication protocol" after doing an IISReset, i get the same issue. (i added the webserver when I pressed the "add" button. in the picture, the red boxes where entries with the webServername the orange boxes where entries with the spn setup (beside HTTP - service type)

Ok, so I was able to get the test page above to finally work. T-Heron's comments were on point, I just added the wrong services to delegate.

Once I added the ldap service from the domain controller then the test page started working.
(Our domain controllers had 2 ldap services. One with a guid and one with the domain name. I chose the domain one).

[]