Constrained Delegation
Constrained delegation allows a service to impersonate a user, but only to specific services on specific computers as defined in its configuration.
Example Scenario
A user (e.g., Joe) authenticates to a web application using a method that does not support Kerberos.
The web application, running under the
websvc
account, requests a TGS for Joe using S4U2Self.The KDC verifies the
TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
flag on thewebsvc
account and that Joe is not restricted from delegation.If allowed, it returns a forwardable TGS for Joe.
The web service now uses S4U2Proxy to request access to a service like
CIFS/dcorp-mssql.dollarcorp.moneycorp.local
.The KDC checks if this SPN is listed in
msDS-AllowedToDelegateTo
forwebsvc
. If yes, it returns the TGS.The web service uses the TGS to access the target service as Joe.
Constrained Delegation with Protocol Transiction
If an attacker gains access to the websvc
account, they can impersonate any user to access any service listed in msDS-AllowedToDelegateTo
.
Enumeration
To find accounts with constrained delegation enabled:
PowerView:
ActiveDirectory module:
Abuse via Rubeus
Request TGT and TGS in one step using Rubeus
:
Then access:
Note: The SPN in the TGS is in clear-text, making it possible to target sensitive services even when delegation was configured for seemingly low-risk systems.
Alternate scenario (with /altservice
parameter):
Labs
Resource-Based Constrained Delegation (RBCD)
RBCD shifts delegation control from the front-end service (e.g., web server) to the target resource (e.g., database server).
This is managed through the msDS-AllowedToActOnBehalfOfOtherIdentity
attribute, visible as PrincipalsAllowedToDelegateToAccount
, which is stored on the resource.
Unlike standard delegation types, SeEnableDelegation rights are not required. Any object with write permissions on the resource can configure RBCD.
To exploit RBCD effectively, you need:
Write permissions over the target resource.
Control over an object with an SPN, such as:
Local admin access to a domain-joined machine.
Ability to join a machine to the domain (default
ms-DS-MachineAccountQuota
= 10 for all users).
Enumeration and Exploitation
Identify write permissions with:
Set RBCD using the ActiveDirectory module:
Extract AES keys for the impersonating machine:
Use the AES key with Rubeus to impersonate:
Then access the machine:
Labs
Last updated