Skip to content

Constrained Delegation (KCD)

If a service account has SPNs listed in msDS-AllowedToDelegateTo then authenticate to those SPNs as an arbitrary delegable user.

Requirements

  • An account with SPNs listed in msDS-AllowedToDelegateTo.
    • Except for users who are "Protected Users" or marked as "Account is sensitive and cannot be delegated."

Protocol Transition Enabled

If the service account also has protocol transition enabled (TrustedToAuthForDelegation) it can obtain service tickets to the specific msDS-AllowedToDelegateTo SPNs via S4U2Self -> S4U2Proxy.

getST will use S4U2self and S4U2proxy to obtain a service ticket
impacket-getST -spn "cifs/target" -impersonate "Administrator" "<domain>"/"<user>":"<password>"

Without Protocol Transition Enabled

Clients must authenticate to the service with Kerberos and provide a forwardable ticket. The service can then use S4U2Proxy to the SPNs in msDS-AllowedToDelegateTo. Non-Kerberos client auth (e.g., NTLM) won’t work here because S4U2Self would yield a non-forwardable ticket.