Constrained Delegation

Constrained delegation is a safer way to perform Kerberos delegation. In contrast to unconstrained delegation, constrained delegation restricts the services to which the server an act on behalf of a user. This means that the server can be configured to only present delegated credentials to the database server, instead of any other arbitrary service.

Enumerating Constrained Delegation

# Enumerating with PowerView
Get-DomainComputer -TrustedToAuth -Properties DnsHostName, MSDS-AllowedToDelegateTo

# Enumerating with BloodHound
MATCH (c:Computer), (t:Computer), p=((c)-[:AllowedToDelegate]->(t)) RETURN p


  • When enumerating constrained delegation, enumerating the service type is extremely important. For exampke, enumerating cifs means that we are able to execute PsExec against the host as well as upload and/or download files.


Last updated