Delegations
Kerberos Delegation is an impersonation method implemented by Microsoft to solve the Kerberos Double Hop problem, where a ticket can’t be sent through an endpoint to reach the target service. There are two types of delegation, costrained and unconstrained.
Both solving an authentication issue but also causing their own security ones.
A quick recap of how delegations work, and the required privileges to abuse them.
- Unconstrained delegation: user’s TGT is cached in the memory of the machine hosting the service. Requires local admin rights on the service machine.
- Constrained delegation: the delegation details are defined in a user/machine account. Requires control over said account.
- Resource-Based Constrained Delegation: the delegation details are defined in the user/machine running the service. Requires Write privileges over said account, and control over an account with SPN set or the privilege to create Computer Objects in the domain.
The below table illustrates the above explanation:
| ######## | Unconstrained | Constrained | RBCD |
|---|---|---|---|
| Defined on | Machine hosting the service | Computer/User account | Computer/User account hosting the service |
| Definition | I can delegate for anybody | Who can I delegate to? | Who can delegate to me? |
2025
Unconstrained Delegation
·170 words·1 min
Resource Based Delegation
·212 words·1 min
Constrained Delegation
·166 words·1 min