Domain Escalation: Unconstrained Delegation

Introduction

Post-Windows 2000, Microsoft introduced an option where users could authenticate to one system via Kerberos and work with another system. This was made possible via the delegation option. Unconstrained delegation is achieved via TGT forwarding technique which is what we’ll talk about in this article.

Kerberos Delegation

Kerberos Delegation enables a service to impersonate a computer or user in order to engage with a second service using the user’s privileges and permissions.

The classic illustration of why delegating is necessary, for instance when a user authenticates to a web server using Kerberos or other protocols, and the server wishes to interact with a SQL backend or file server.

Type of Kerberos Delegation:

Unconstrained delegation
Constrained delegation
RBCD (Resource-Based Constrained Delegation)

Service Principal Name

A unique name (identifier) of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have…