Overview#Kerberos Delegation is a Delegation method used within Microsoft Active Directory
Kerberos Delegation allows a service Provider to act on your behalf when connecting with other software or services.
Kerberos Delegation is a form of impersonation and is disabled by default.
- user on computerA requests information from a service on computerB
- but the requested data lives on computerC
Currently 4 delegation options exist:
- Unconstrained Delegation
- means you are granting that account permission to delegate to any service, provided all other steps necessary to initiate delegation are met.
- This option is the easiest to configure but least secure from an IT security standpoint.
- Constrained Delegation - Kerberos Only
- more secure because it limits delegation to a specified list, rather than allowing delegation to any service as in unconstrained delegation.
- requires additional configuration compared with unconstrained delegation.
- You must ensure SPN's are setup on the account and add the services the account is allowed to delegate to.
- Constrained Delegation - Any Authentication Protocol allows for protocol transitions.
- Resource Based Constrained Delegation
Kerberos only options ensures that there is no protocol transition from a non-Kerberos authentication method. For instance, transitioning from claims to Kerberos authentication is considered a protocol transition
In the Computers or Users folders for a particular AD DOMAIN, right-select an object and go to its properties. Assuming the object in question has a Service Principal Name (SPN) assigned to it you will see a tab called Delegation, where you will see the above options.
Resource Based Constrained Delegation#When resource based constrained delegation is configured, an attribute is set on the identity of the back end service which specifies which front end service identities are allowed to send delegated credentials to it. There are several benefits to resource based constrained delegation. Most notably:
- Permission to delegate associated with back end instead of front end identity
- Delegation configuration is not dependent on SPNs
- Domain administrator privileges are not required
- Functions across domain and forest boundaries
- Both the front and back end account domains must have Windows Server 2012 level or higher KDCs
- The front end server must be running on Windows Server 2012 or later OS