Constrained Delegation

Constrained delegation is a safer way to perform Kerberos delegation. In contrast to unconstrained delegation, constrained delegation restricts the services to which the server an act on behalf of a user. This means that the server can be configured to only present delegated credentials to the database server, instead of any other arbitrary service.

Enumerating Constrained Delegation

# Enumerating with PowerView
Get-DomainComputer -TrustedToAuth -Properties DnsHostName, MSDS-AllowedToDelegateTo

# Enumerating with BloodHound
MATCH (c:Computer), (t:Computer), p=((c)-[:AllowedToDelegate]->(t)) RETURN p

Notes

• When enumerating constrained delegation, enumerating the service type is extremely important. For exampke, enumerating cifs means that we are able to execute PsExec against the host as well as upload and/or download files.

References

SensePost | Constrained Delegation Considerations for Lateral Movementsensepost.com

No Shells Required - a Walkthrough on Using Impacket and Kerberos to Delegate Your Way to DAblog.redxorblue.com