-
Titolo
Error: A required privilege is not held by the client -
Descrizione
Delegation has been granted to user for edsaTrustedToAuthenticateForDelegation, but getting error "A required privilege is not help by client (exception from HRESULT : 0X80070522" -
Risoluzione
This issue is a configuration issue where permissions are not set properly to the ARS service account and/or Domain override account. In ActiveRoles, it always uses the Service account to perform any operations on behalf of the 'Logged in user', impersonation happens in ARS. If there is an override account set to manage a specific domain, then the override account also plays a role here.
Therefore if you use a delegate to make changes in AD via ARS, the delegate needs required permissions to make those changes, and the ARS Service account makes the changes on behalf the delegate. However if the delegate has the required permissions but the ARS Service account or override account do not have the permissions to make a specific change, a permissions related error will pop up.
Follow below steps to verify the root cause:
1.- Verify whether the ARS service account and override account set for the domains have below permissions set to edit property ‘edsaAccountIsTrustedForDelegation’. Be aware that only administrators who have the Enable computer and user accounts to be trusted for delegation credential can set up delegation. Domain admins and Enterprise admins have this credential.
Reference: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation
2.- Run the ARS Console under the ARS service account context and try to edit property ‘edsaAccountIsTrustedForDelegation’.
3.- Run the ARS Console under the override account context and try to edit the property ‘edsaAccountIsTrustedForDelegation’.