Constrained Delegation


  • Service for the user to itself (S4U2self): If a service account has a "UserAccountControl" value containing TRUSTED_TO_AUTH_FOR_DELEGATION (T2A4D), then it can obtain a TGS for itself (the service) on behalf of any other user.

  • Service for user to proxy (S4U2proxy): A service account can obtain a TGS on behalf of any user for the service defined in "msDS-AllowedToDelegateTo". To do this, it first needs a TGS from that user for itself, but it can use S4U2self to obtain this TGS before requesting the other.

Note: If a user is marked as "Sensitive account and cannot be delegated", you won't be able to impersonate them.

To summarize without going into too much detail: when a user requests the use of a service that will itself use a resource, the service must authenticate itself to resource B as the user. It will then ask the KDC for a TGS (Ticket Granted Service) in the user's name, encrypted with the service's hash. This TGS will then be sent to the service for validation.

This means that if you compromise the service hash, you can impersonate users and gain access on their behalf to the services configured in the msDS-AllowedToDelegateTo attribute.

A closer look at the management of the delegation reveals two points:

  • In the first case, the TRUSTED_FOR_DELEGATION flag is set on the account, and the service can only relay kerberos authentications. It cannot use the S4U2Self extension to create a ticket.

  • In the second case, the TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION flag is set. If this is the case, then the service with this capability can impersonate any of the services in its list via the S4U2Self extension.

For example, if you have access to the CIFS service, you may also have access to the HOST service. Note that if you have access to the LDAP service on the DC, you will have sufficient privileges to use a DCSync-type attack.

Machine account can edite their own msDS-AllowedToDelegateTo own and so perform S4U2Self to impersonate anyone on the machine.


Find delegation: <DOMAIN>/<USER>:<PASSWORD> -target-domain <DOMAIN>

Exploit by requesting a TGS: -spn 'CIFS/<COMPUTER>' -impersonate <DOMAIN_ADMIN> -dc-ip <DC_IP> <DOMAIN>/<USER>:<PASSWORD>

Last updated