{"id":4658,"date":"2025-10-06T20:03:00","date_gmt":"2025-10-07T00:03:00","guid":{"rendered":"https:\/\/adsecurity.org\/?p=4658"},"modified":"2026-02-27T13:18:13","modified_gmt":"2026-02-27T18:18:13","slug":"active-directory-security-tip-12-kerberos-delegation","status":"publish","type":"post","link":"https:\/\/adsecurity.org\/?p=4658","title":{"rendered":"Active Directory Security Tip #12: Kerberos Delegation"},"content":{"rendered":"\n<p> I have mentioned in several presentations that Kerberos delegation is impersonation. Kerberos delegation is used when a service (ex. web server) needs to impersonate a user when connecting to a resource (ex. database).<\/p>\n\n\n\n<p>There are a 4 types of Kerberos delegation: <\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/previous-versions\/windows\/microsoft-desktop-optimization-pack\/appv-v4\/how-to-configure-the-server-to-be-trusted-for-delegation\" data-type=\"link\" data-id=\"https:\/\/learn.microsoft.com\/en-us\/previous-versions\/windows\/microsoft-desktop-optimization-pack\/appv-v4\/how-to-configure-the-server-to-be-trusted-for-delegation\">Unconstrained <\/a>&#8211; impersonate authenticated user to any Kerberos service [<a href=\"https:\/\/adsecurity.org\/?page_id=4031\" data-type=\"page\" data-id=\"4031\">Risk of Unconstrained delegation<\/a>]<\/li>\n\n\n\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-server\/security\/kerberos\/kerberos-constrained-delegation-overview\" data-type=\"link\" data-id=\"https:\/\/learn.microsoft.com\/en-us\/windows-server\/security\/kerberos\/kerberos-constrained-delegation-overview\">Constrained <\/a>&#8211; impersonate authenticated user to specific Kerberos services<\/li>\n\n\n\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/troubleshoot\/windows-server\/active-directory\/configure-kerberos-constrained-delegation\" data-type=\"link\" data-id=\"https:\/\/learn.microsoft.com\/en-us\/troubleshoot\/windows-server\/active-directory\/configure-kerberos-constrained-delegation\">Kerberos Constrained Delegation Protocol Transition<\/a> &#8211; impersonate any user account to specific Kerberos services<\/li>\n\n\n\n<li><a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-server\/security\/kerberos\/kerberos-constrained-delegation-overview\" data-type=\"link\" data-id=\"https:\/\/learn.microsoft.com\/en-us\/windows-server\/security\/kerberos\/kerberos-constrained-delegation-overview\">Resource-based Constrained Delegation<\/a> &#8211; enables delegation configured on the resource instead of the account<\/li>\n<\/ul>\n\n\n\n<p>Unconstrained delegation should be converted to constrained delegation <a href=\"https:\/\/adsecurity.org\/?p=1667\" data-type=\"link\" data-id=\"https:\/\/adsecurity.org\/?p=1667\">due to security concerns<\/a>. Any Kerberos delegation that is no longer required should be removed. If there&#8217;s no associated Kerberos service principal name, Kerberos authentication isn&#8217;t working and this should be fixed or removed.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"276\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-1-1024x276.png\" alt=\"\" class=\"wp-image-4775\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-1-1024x276.png 1024w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-1-300x81.png 300w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-1-768x207.png 768w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-1-823x222.png 823w, https:\/\/adsecurity.org\/wp-content\/uploads\/2025\/10\/image-1.png 1176w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>PowerShell code using the Active Directory PowerShell module:<br> <a href=\"https:\/\/github.com\/PyroTek3\/ActiveDirectory\/blob\/main\/Get-ADKerberosDelegation.ps1\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/github.com\/PyroTek3\/ActiveDirectory\/blob\/main\/Get-ADKerberosDelegation.ps1<\/a><\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>I have mentioned in several presentations that Kerberos delegation is impersonation. Kerberos delegation is used when a service (ex. web server) needs to impersonate a user when connecting to a resource (ex. database). There are a 4 types of Kerberos delegation: Unconstrained delegation should be converted to constrained delegation due to security concerns. Any Kerberos &hellip; <\/p>\n<p><a class=\"more-link btn\" href=\"https:\/\/adsecurity.org\/?p=4658\">Continue reading<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[565,7],"tags":[1469,1489,1487,1490,1488],"class_list":["post-4658","post","type-post","status-publish","format-standard","hentry","category-activedirectorysecurity","category-powershell","tag-activedirectorysecuritytip","tag-constraineddelegation","tag-kerberosdelegation","tag-protocoltransition","tag-unconstraineddelegation","item-wrap"],"_links":{"self":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/4658","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4658"}],"version-history":[{"count":5,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/4658\/revisions"}],"predecessor-version":[{"id":4965,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/4658\/revisions\/4965"}],"wp:attachment":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4658"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4658"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4658"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}