📄
Bufu-Sec Wiki
GithubTwitter
  • Bufu-Sec Wiki
  • Active Directory
    • General
      • General
      • Installation
      • DNS
      • Kerberos
      • Kerberos Delegation
    • Enumeration
      • AD Module
      • Bloodhound
      • PowerShell Cheatsheet
      • PowerView Cheatsheet
      • Users
      • Groups
      • Computers
      • OUs
      • GPOs
      • ACLs
      • Domains
      • Trusts
      • Forest Mappings
      • Files and Shares
      • Kerbrute
    • Privilege Escalation
      • Kerberoasting
      • AS-REP Roasting
      • Constrained Delegation
      • Unconstrained Delegation
      • DNS Admins
    • Lateral Movement
      • PS Remoting
      • Credential Dumping
      • DC Sync
      • Overpass the Hash
      • Ticket Harvesting
      • Pass the Ticket
    • Persistence
      • Golden Tickets
      • Silver Tickets
      • ACL Attacks
      • Custom SSPs
      • DC Shadow
      • Skeleton Key
      • DSRM
    • Trust Attacks
      • Cross Domain Attacks
      • Cross Forest Attacks
      • MSSQL Servers
    • MITM & Relay Attacks
      • LLMNR Poisoning
      • SMB Relay
      • IPv6 Attacks
    • Detection & Defense
      • Domain Admins
      • Architectural Changes
      • Microsoft ATA
Powered by GitBook
On this page
  • What is Kerberos Delegation?
  • Authentication Process
  • Types of Kerberos Delegation
  • Unconstrained
  • Constrained
  1. Active Directory
  2. General

Kerberos Delegation

What is Kerberos Delegation?

  • Allows to "reuse the end-user credentials to access resources hosted on a different server"

  • E.g. user authenticates to webserver, then webserver impersonates user to authenticate to database server

  • But: Service account for web server must be trusted for delegation to impersonate user

Authentication Process

  • User provides credentials to DC

  • DC returns TGT

  • User requests TGS for web service on Web Server

  • Web server service account uses the user's TGT to request TGS for the database server from the DC

  • Web server service account connects to the database server as the user

Types of Kerberos Delegation

Unconstrained

  • General/basic delegation

  • Allows service to access any server on any computer in the domain

Constrained

  • Allows service to request access only to specified computers/resources

  • If user is not using Kerberos authentication to authenticate to web server, Windows offers Protocol Transition to transition the request to Kerberos

PreviousKerberosNextEnumeration

Last updated 2 years ago