Kerberos Delegation

Kerberos Delegation allows to "reuse the end-user credentials to access resources hosted on a different server".

This is typically useful in multi-tier service or applications where Kerberos Double Hop is required.

For example, users authenticates to a webserver and webserver makes requests to a database server. The web server can request access to resources (all or some resources depending on the type of delegation) on the database server as the user (impersonate the user) and not as the web server's service account.

Please note that, for the above example, the service account for webservice (the first hop) must be trusted for delegation to be able to make requests as a user. This is done by an attribute called TRUSTED_FOR_DELEGATION.

<aside> 💡 Domain Controller by default is always TRUSTED_FOR_DELEGATION

</aside>

The attribute TRUSTED_FOR_DELEGATION set on a server

Untitled

A user who wants to access the database. The user authenticates to the DC, requests a TGT, with the TGT requesting a TGS to access the web service. The TGS received in step 4 also contains a TGT associated with the user. In fact, when the user requests a TGS in step 3, the DC sees that the webserver service account has the attribute TRUSTED_FOR_DELEGATION.

The user in step 5 will provide the TGS with the TGT in it to the web server, which in step 6 will request a TGS for the DB server impersonating user in order to read/write data from DB.

There are three types of Kerberos Delegation:

⚠️ General/Basic or Unconstrained Delegation: which allows the first hop server (webserver in our example) to request access to any service on any computer in the domain (1 SPN → ∞ Servers).

Kerberos Unconstrained delegation
Constrained Delegation: which allows the first hop server (webserver in our example) to request access only to specified services on specified computers (1 SPN → 1 Server). If the user is not using Kerberos authentication to authenticate to the first hop server, Windows offers Protocol Transition to transition the request to Kerberos.

Kerberos Constrained Delegation
Resource Based Constraint Delegation: the difference with constraint delegation is that the attribute msDS-AllowedToDelegateTo is not written on first hop but on second hop

Resource-Based Constrained Delegation

Please note that in all types of delegations, a mechanism is required to impersonate the incoming user and authenticate to the second hop server (Database server in our example) as the user.

So possibilities are:

Delegation disabled

Unconstrained Delegation

Constrained Delegation