Kerberos (III): How does delegation work?
Introduction to Kerberos delegation There are several kinds of delegation implemented by using the Kerberos protocol on Windows and Linux servers. Basically, delegation allows a service to impersonate the client user to interact with a second service, with the privileges and permissions of the client itself. The flavors of delegation are the following: Unconstrained delegation Constrained delegation RBCD (Resource Based Constrained Delegation) In this article, we will focus on understand how the different kinds of delegation work, including some special cases. Additionally, some scenarios where it could be possible to take advantage of these mechanisms in order to leverage privilege escalation or set persistence in the domain will be introduced. Before starting with the explanations, I will assume that you ...