Kerberos Delegation

Kerberos delegation is a feature in the Kerberos authentication protocol that allows a service to perform actions on behalf of a user. This will enable services to obtain Service Tickets on behalf of users without requiring users to authenticate themselves multiple times.

For example, a user uses Kerberos to obtain a Service Ticket for WebServerOne, which is used to perform actions to DatabaseOne on behalf of the user. Instead of allowing WebServerOne direct access to DatabaseOne, Kerberos delegation allows WebServerOne to request access to DatabaseOne on behalf of the user.

When Kerberos Delegation is configured on a computer, the Key Distribution Center (KDC) includes a copy of the authenticating user's Ticket-Granting-Ticket inside the

When a user authenticates to a computer with Kerberos delegation enabled, the authenticated user's Ticket-Granting-Ticket (TGT) gets saved into that computer's memory for further use.

There are two types of Kerberos delegation: Constrained Delegation and Unconstrained Delegation.

PreviousGolden Tickets NextUnconstrained Delegation

Last updated 1 year ago