H3-2023-0010¶

Kerberos Constrained Delegation

Description¶

An Active Directory Principal (e.g. a User, Machine, or Service Account) can impersonate any unprotected domain principal when connecting to a specific service.

Impact¶

If an attacker obtains authentication material for the principal with Constrained Delegation, the attacker could impersonate a domain administrator on the target host -- enabling Host Compromise and possibly Domain Compromise if the target host is a high value target such as a Domain Controller.

References¶

• Microsoft - Kerberos Constrained Delegation Overview
• Active Directory Security - Active Directory Security Risk #101: Kerberos Unconstrained Delegation (or How Compromise of a Single Server Can Compromise the Domain)
• harmj0y Blog - S4U2Pwnage