<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview
[{$pagename}] is a [Delegation] method used within [Microsoft Active Directory]


[{$pagename}] allows a [service Provider] to act on your behalf when connecting with other software or services. 

[{$pagename}] is a form of [impersonation] and is __disabled__ by default.

Typical scenario, 
* user on computerA requests information from a service on computerB
* but the requested data lives on computerC
[{$pagename}] would need to be configured for whatever account the service was using.

Currently 4 delegation options exist:
* Unconstrained Delegation  
** means you are granting that account permission to [delegate|Delegation] to any service, provided all other steps necessary to initiate delegation are met. 
** This option is the easiest to configure but least secure from an IT security standpoint. 
* Constrained Delegation - Kerberos Only
** more secure because it limits delegation to a specified list, rather than allowing delegation to any service as in unconstrained delegation. 
** requires additional configuration compared with unconstrained delegation. 
** You must ensure [SPN]'s are setup on the account and add the services the account is allowed to delegate to.
* Constrained Delegation - Any Authentication [Protocol]  allows for protocol transitions.
* Resource Based Constrained Delegation

__[Kerberos] only__ options ensures that there is no protocol transition from a non-Kerberos [authentication] method. For instance, transitioning from claims to [Kerberos] [authentication] is considered a protocol transition

One of the above options can be enabled for a [service Provider], user or computer account within [Microsoft Active Directory]. 

In the Computers or Users folders for a particular [AD DOMAIN], right-select an object and go to its properties. __Assuming__ the object in question has a [Service Principal Name] ([SPN]) assigned to it you will see a tab called Delegation, where you will see the above options.

!! Resource Based Constrained Delegation
When resource based constrained delegation is configured, an attribute is set on the identity of the back end service which specifies which front end service identities are allowed to send [delegated|Delegation] [credentials] to it.  There are several benefits to resource based constrained delegation.  Most notably:
* Permission to delegate associated with back end instead of front end identity
* Delegation configuration is not dependent on SPNs
* Domain administrator privileges are not required
* Functions across domain and forest boundaries
There are also some requirements for resource based constrained delegation to work.  
* Both the front and back end account domains must have [Windows Server 2012] level or higher [KDCs]
* The front end server must be running on [Windows Server 2012] or later OS
Configuration for Resource Based Constrained Delegation is more involved however, it offers more flexibility and more constrained [Delegation]



!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [Types of Kerberos Delegation|https://techsupport.osisoft.com/Troubleshooting/KB/KB01222|target='_blank'] - based on information obtained 2016-04-16- 
</pre>