Kerberos Constrained Delegation.

An Active Directory delegation mode that allows a service to impersonate users only to a specified set of target services — safer than unconstrained delegation, but still abused via S4U2Self / S4U2Proxy attacks when misconfigured. 它属于网络安全的 身份与访问 分类。

An Active Directory delegation mode that allows a service to impersonate users only to a specified set of target services — safer than unconstrained delegation, but still abused via S4U2Self / S4U2Proxy attacks when misconfigured.

Kerberos Constrained Delegation (KCD), introduced with Windows Server 2003, restricts which other services an account can impersonate a user to: the account's `msDS-AllowedToDelegateTo` attribute lists exactly those target SPNs. KCD comes in two flavors. Classic KCD requires Domain Admin to configure the trust on the delegating account. Resource-Based Constrained Delegation (RBCD), introduced in Windows Server 2012, inverts the configuration so the target service controls who can impersonate to it via `msDS-AllowedToActOnBehalfOfOtherIdentity` — useful for cross-forest scenarios. KCD is far safer than unconstrained delegation, but it is not safe by default: attackers with control of an account that has constrained delegation rights can use S4U2Self to mint tickets for arbitrary users (including Domain Admins) and then S4U2Proxy to access the allowed targets, an attack chain documented since the 2018 Elad Shamir 'Wagging the Dog' research. RBCD attacks via control of computer-account writes (CVE-2021-42278/42287, sAMAccountName spoofing) are equally well known. Modern hardening includes Protected Users group membership for sensitive accounts, the 'Account is sensitive and cannot be delegated' flag, and rigorous review of all delegation attributes in AD.

针对 Kerberos Constrained Delegation 的防御通常结合技术控制与运营实践,详见上方完整定义。

常见的别称包括: KCD, Resource-Based Constrained Delegation, RBCD。