Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter IV - Active Directory / 03. Kerberos / Delegation

Information

Kerberos delegation allows a service to access another service as a user. It exists so front-end services can reach back-end services without asking the user for credentials again. We abuse it when the delegated service, the delegation target, or the object that controls delegation can be compromised.

There are three main models. Unconstrained delegation caches delegated TGTs on the service host. Traditional constrained delegation lets a controlled service account request tickets only to specific SPNs. Resource-based constrained delegation moves the control to the target computer object through msDS-AllowedToActOnBehalfOfOtherIdentity.

The important distinction is where delegation is configured. Unconstrained and traditional constrained delegation are configured on the delegating account. RBCD is configured on the target object. That one detail decides whether we need to own the front-end service account, write to the target computer object, or steal tickets from memory.

S4U is the core protocol family behind constrained delegation. S4U2Self lets a service ask for a ticket to itself on behalf of a user. S4U2Proxy lets the service exchange that ticket for a ticket to another service. Protocol transition means the service can create the first step without the user authenticating with Kerberos.

Tools used in this section include Impacket, Rubeus, PowerView, Powermad, NetExec, Krbrelayx, SharpSystemTriggers, and StandIn.

Important attributes

TRUSTED_FOR_DELEGATION                         userAccountControl 524288
TRUSTED_TO_AUTH_FOR_DELEGATION                 userAccountControl 16777216
msDS-AllowedToDelegateTo                       traditional constrained delegation targets
msDS-AllowedToActOnBehalfOfOtherIdentity       resource-based constrained delegation security descriptor
servicePrincipalName                           required for delegated service principals
ms-DS-MachineAccountQuota                      default machine-account creation quota

Common service targets

cifs/host.domain.local      SMB and admin shares
ldap/dc.domain.local        LDAP and DCSync-oriented workflows
http/host.domain.local      WinRM and HTTP-backed services
host/host.domain.local      host service class
wsman/host.domain.local     WinRM
termsrv/host.domain.local   RDP-related service class