Kerberos Delegation


Kerberos Delegation is a Delegation method used within Microsoft Active Directory

Kerberos Delegation allows a service Provider to act on your behalf when connecting with other software or services.

Kerberos Delegation is a form of impersonation and is disabled by default.

Typical scenario,

  • user on computerA requests information from a service on computerB
  • but the requested data lives on computerC
Kerberos Delegation would need to be configured for whatever account the service was using.

Currently 4 delegation options exist:

  • Unconstrained Delegation
    • means you are granting that account permission to delegate to any service, provided all other steps necessary to initiate delegation are met.
    • This option is the easiest to configure but least secure from an IT security standpoint.
  • Constrained Delegation - Kerberos Only
    • more secure because it limits delegation to a specified list, rather than allowing delegation to any service as in unconstrained delegation.
    • requires additional configuration compared with unconstrained delegation.
    • You must ensure SPN's are setup on the account and add the services the account is allowed to delegate to.
  • Constrained Delegation - Any Authentication Protocol allows for protocol transitions.
  • Resource Based Constrained Delegation

Kerberos only options ensures that there is no protocol transition from a non-Kerberos authentication method. For instance, transitioning from claims to Kerberos authentication is considered a protocol transition

One of the above options can be enabled for a service Provider, user or computer account within Microsoft Active Directory.

In the Computers or Users folders for a particular AD DOMAIN, right-select an object and go to its properties. Assuming the object in question has a Service Principal Name (SPN) assigned to it you will see a tab called Delegation, where you will see the above options.

Resource Based Constrained Delegation#

When resource based constrained delegation is configured, an attribute is set on the identity of the back end service which specifies which front end service identities are allowed to send delegated credentials to it. There are several benefits to resource based constrained delegation. Most notably:
  • Permission to delegate associated with back end instead of front end identity
  • Delegation configuration is not dependent on SPNs
  • Domain administrator privileges are not required
  • Functions across domain and forest boundaries
There are also some requirements for resource based constrained delegation to work. Configuration for Resource Based Constrained Delegation is more involved however, it offers more flexibility and more constrained Delegation

More Information#

There might be more information for this subject on one of the following: