Because of how tickets are constructed, services cannot forward client credentials to other resources: they only possess a service ticket encrypted with their own key. This inability to forward credentials is known as the Kerberos Double-Hop Problem.
Microsoft introduced delegation to let one service forward a client’s credentials to another, enabling the first service to authenticate the client to the second. There are three forms of Kerberos delegation:
Unconstrained Delegation: The first form of delegation. When a client authenticates to a server with unconstrained delegation, it passes its TGT along with the ST, allowing the server to reuse the TGT to authenticate as that user to other resources.
Constrained Delegation: Introduced to mitigate the risks of unconstrained delegation. It restricts delegation to specific services and replaces TGT forwarding with two proxies: S4U2Self and S4U2Proxy.
Resource-Based Constrained Delegation: Similar to constrained delegation, but here the destination (resource) defines which services are allowed to delegate to it.
Related
Related Notes
All Related Notes
TABLE file.ctime as "Created", tags as "Tags"FROM "New Notes"WHERE contains(tags, "windows") OR contains(tags, "active-directory") OR contains(tags, "kerberos") OR contains(tags, "authentication")SORT file.ctime DESC
windows
TABLE file.ctime as "Created", tags as "Tags"FROM "New Notes"WHERE contains(tags, "windows")SORT file.ctime DESC
active-directory
TABLE file.ctime as "Created", tags as "Tags"FROM "New Notes"WHERE contains(tags, "active-directory")SORT file.ctime DESC
kerberos
TABLE file.ctime as "Created", tags as "Tags"FROM "New Notes"WHERE contains(tags, "kerberos")SORT file.ctime DESC
authentication
TABLE file.ctime as "Created", tags as "Tags"FROM "New Notes"WHERE contains(tags, "authentication")SORT file.ctime DESC
