Delegation is the act of doing something on behalf of another. Kerberos utilizes this since authentication isn’t inherently transitive.

Relevant Example

• User dylanuses windows authentication on a website.
• Website, run by svc_web needs to grab his data from the mssql server
• mssql server run by svc_sql
• svc_web will impersonate dylan and access data from mssql;
  • svc_web requests a TGS to svc_sql under the context of dylan

Unconstrained (TGT Forwarding)

A service can use client’s TGT to request a ticket for delegation. The computer the service is run on must be configured to do so via having TrustedForDelegation enabled. With this configuration, TGTs are cached in the computer’s memory so the service account can delegate.

A SYSTEM compromise of this computer allows for the impersonation of any user of those TGTs. We can simply just harvest the tickets from memory and pass them into a session.

• Rubeus dump
• Rubeus monitor

Furthering this, we can try to use tools like spoolsample to coerce authentication from other hosts so we can grab their TGTs too. This is similar to the basis of NTLM relaying

• SpoolSample.exe <TARGET> <Compromised Unconstrained Host>
• printerbug.py 'domain/username:password'@<Printer IP> <Compromised Unconstrained Host>

Constrained (S4U2PROXY)

A computer or service account with TrustedToAuth may impersonate any user for the service specified by the msds-allowedtodelegateto property. This works by the service/computer account utilizing S4U2SELF to obtain a forwardable TGS to itself, on behalf of any user. Then, S4U2PROXY is utilized; the forwardable TGS requested via S4U2SELF is used to request another ticket, to the service specified in the msds-allowedtodelegateto property of the service account.