Kerberos Constrained Delegation
Was ist Kerberos Constrained Delegation?
Kerberos Constrained DelegationAn Active Directory delegation mode that allows a service to impersonate users only to a specified set of target services — safer than unconstrained delegation, but still abused via S4U2Self / S4U2Proxy attacks when misconfigured.
Kerberos Constrained Delegation (KCD), introduced with Windows Server 2003, restricts which other services an account can impersonate a user to: the account's `msDS-AllowedToDelegateTo` attribute lists exactly those target SPNs. KCD comes in two flavors. Classic KCD requires Domain Admin to configure the trust on the delegating account. Resource-Based Constrained Delegation (RBCD), introduced in Windows Server 2012, inverts the configuration so the target service controls who can impersonate to it via `msDS-AllowedToActOnBehalfOfOtherIdentity` — useful for cross-forest scenarios. KCD is far safer than unconstrained delegation, but it is not safe by default: attackers with control of an account that has constrained delegation rights can use S4U2Self to mint tickets for arbitrary users (including Domain Admins) and then S4U2Proxy to access the allowed targets, an attack chain documented since the 2018 Elad Shamir 'Wagging the Dog' research. RBCD attacks via control of computer-account writes (CVE-2021-42278/42287, sAMAccountName spoofing) are equally well known. Modern hardening includes Protected Users group membership for sensitive accounts, the 'Account is sensitive and cannot be delegated' flag, and rigorous review of all delegation attributes in AD.
● Beispiele
- 01
A web application's service account is constrained to delegate only to the SQL Server SPN; the same account cannot impersonate users to other services.
- 02
A red-team that gains write access to a computer object configures it for RBCD and S4U2Selfs into Domain Admin, demonstrating the need to restrict ms-DS-MachineAccountQuota.
● Häufige Fragen
Was ist Kerberos Constrained Delegation?
An Active Directory delegation mode that allows a service to impersonate users only to a specified set of target services — safer than unconstrained delegation, but still abused via S4U2Self / S4U2Proxy attacks when misconfigured. Es gehört zur Kategorie Identität und Zugriff der Cybersicherheit.
Was bedeutet Kerberos Constrained Delegation?
An Active Directory delegation mode that allows a service to impersonate users only to a specified set of target services — safer than unconstrained delegation, but still abused via S4U2Self / S4U2Proxy attacks when misconfigured.
Wie funktioniert Kerberos Constrained Delegation?
Kerberos Constrained Delegation (KCD), introduced with Windows Server 2003, restricts which other services an account can impersonate a user to: the account's `msDS-AllowedToDelegateTo` attribute lists exactly those target SPNs. KCD comes in two flavors. Classic KCD requires Domain Admin to configure the trust on the delegating account. Resource-Based Constrained Delegation (RBCD), introduced in Windows Server 2012, inverts the configuration so the target service controls who can impersonate to it via `msDS-AllowedToActOnBehalfOfOtherIdentity` — useful for cross-forest scenarios. KCD is far safer than unconstrained delegation, but it is not safe by default: attackers with control of an account that has constrained delegation rights can use S4U2Self to mint tickets for arbitrary users (including Domain Admins) and then S4U2Proxy to access the allowed targets, an attack chain documented since the 2018 Elad Shamir 'Wagging the Dog' research. RBCD attacks via control of computer-account writes (CVE-2021-42278/42287, sAMAccountName spoofing) are equally well known. Modern hardening includes Protected Users group membership for sensitive accounts, the 'Account is sensitive and cannot be delegated' flag, and rigorous review of all delegation attributes in AD.
Wie schützt man sich gegen Kerberos Constrained Delegation?
Schutzmaßnahmen gegen Kerberos Constrained Delegation kombinieren typischerweise technische Kontrollen und operative Praktiken, wie in der Definition oben beschrieben.
Welche anderen Bezeichnungen gibt es für Kerberos Constrained Delegation?
Übliche alternative Bezeichnungen: KCD, Resource-Based Constrained Delegation, RBCD.
● Verwandte Begriffe
- identity-access№ 652
Kerberos
Ticket-basiertes Netzwerk-Authentifizierungsprotokoll, das mit symmetrischer Kryptografie und einem vertrauenswürdigen Key Distribution Center sicheres Single Sign-On ermöglicht.
- identity-access№ 014
Active Directory
Unternehmens-Verzeichnisdienst von Microsoft für Windows-Netzwerke, der zentrale Authentifizierung, Autorisierung und Richtlinienverwaltung für Benutzer, Computer und Ressourcen bietet.
- identity-access№ 654
Kerberos Unconstrained Delegation
An Active Directory configuration that lets a service receive and store TGTs for any authenticating user, allowing it to impersonate them to any other service — a high-impact misconfiguration repeatedly abused for credential theft and domain compromise.
- attacks№ 651
Kerberoasting
Offline-Passwortangriff, der Kerberos-Service-Tickets fuer Dienstkonten anfordert und den verschluesselten Teil knackt, um deren Klartext-Passwoerter zu gewinnen.
- attacks№ 886
Pass-the-Ticket
Active-Directory-Angriff, der ein gestohlenes Kerberos-Ticket erneut nutzt, um sich als Benutzer oder Dienst auszugeben, ohne das Passwort zu kennen.
- attacks№ 836
NTLM-Relay-Angriff
Adversary-in-the-Middle-Angriff (MITRE T1557.001), bei dem ein Angreifer die NTLM-Authentifizierung eines Opfers an einen anderen Dienst weiterleitet, um es ohne Passwortkenntnis zu impersonieren.