S4U2Self and S4U2Proxy¶

S4U2Self¶

Any SPN-bearing account can request a ticket to itself for any user.

That ticket is non-forwardable by default. It becomes forwardable only when the service account has TrustedToAuthForDelegation and the user isn’t delegation-restricted (e.g., “Account is sensitive and cannot be delegated” or Protected Users).

`TrustedToAuthForDelegation` (Use any authentication protocol) explanation:¶

If a client authenticates via NTLM (or otherwise without a Kerberos ticket), a service with this flag can obtain a forwardable service ticket to itself for the user, then use S4U2Proxy to other services (subject to delegation settings and user not being delegation-restricted).

If the client authenticates with Kerberos then the service ticket will be forwardable by default and so TrustedToAuthForDelegation isn’t needed for S4U2Proxy.

S4U2Proxy¶

Using a user's service ticket as an evidence ticket (from S4U2Self or from the user’s Kerberos logon), the service requests a ticket to a back-end SPN.

If a user is marked as non-delegable / sensitive / Protected Group, etc. then the service ticket will never be forwardable and so S4U2Proxy will not work for them.

Requirements for a service ticket to be issued¶

One of these requirements must be met in order for S4U2Proxy to work.

Classic Constrained Delegation (KCD):¶

The back-end SPN is listed exactly in the requesting service account’s msDS-AllowedToDelegateTo. The evidence ticket must be forwardable.

Constrained Delegation Abuse (KCD)

Circumstances where tickets are normally forwardable:

The user authenticates to the SPN with kerberos.

The SPN obtains a user's service ticket through S4U2Self and the SPN has TrustedToAuthForDelegation set.

Resource-based Constrained Delegation (RBCD):¶

The requesting service account is allowed by the target service account’s msDS-AllowedToActOnBehalfOfOtherIdentity. This permits proxy tickets to any SPN hosted by that target account (e.g., cifs/DC, ldap/DC). The evidence ticket does not need to be forwardable.

Resource Based Constrained Delegation Abuse (RBCD)

Conclusion¶

S4U2Self allows any SPN-bearing account to obtain a service ticket to itself for any user in the domain.

S4U2Proxy allows an SPN-bearing account to obtain service tickets to any other service that the SPN is allowed to delegate for in the domain for any delegable user in the domain.