What Is Kerberos Delegation?

Updated on September 11, 2025

Kerberos delegation is a powerful and essential feature in multi-tier application environments, allowing a service to impersonate a user to access resources on another service’s behalf. For example, a web server might need to access a back-end database using the identity of the user who authenticated to the web server. While a critical feature for functionality, delegation, if misconfigured, represents a significant security risk. This makes a technical understanding of its different types and how they work a requirement for any security professional.

Breaking Up with Active Directory

Don’t let your directory hold you back. Learn why it’s time to break up with AD.

Read Now

Definition and Core Concepts

Kerberos delegation is a Windows-specific feature of the Kerberos protocol. It allows a front-end service to use a user’s authenticated identity to request a service ticket for another back-end service. The front-end service then uses this ticket to access the back-end resource on behalf of the user.

• Delegated Authentication: The core principle is that a service receives a user’s credentials and uses them to obtain new tickets for other services, as if it were the user.
• Service Principal Name (SPN): A Service Principal Name is a unique identifier that a client uses to request a Kerberos service ticket for a specific service instance. Proper SPN configuration is a prerequisite for all forms of delegation.
• Ticket-Granting Ticket (TGT): The Ticket-Granting Ticket is the master ticket a user receives upon initial authentication. In some forms of delegation, a copy of the TGT is used by the delegating service to request new tickets.

How It Works: The Types of Delegation

There are three primary types of Kerberos delegation, each with different security implications. Understanding the distinction between them is critical for securing an Active Directory environment.

Unconstrained Delegation (Insecure)

This is the oldest and most dangerous form of delegation. A service is configured with the setting Trust this computer for delegation to any service. When a user authenticates to this service, the user’s TGT is included in the service ticket delivered to the front-end service. The front-end service can then use this TGT to request a service ticket for any other service in the domain, effectively impersonating the user without restriction.

The primary security risk is severe. If a service configured with unconstrained delegation is compromised, an attacker can steal the TGTs of every user who has accessed it. An attacker can then use these TGTs to perform a Pass-the-Ticket attack and impersonate those users, including domain administrators.

Kerberos Constrained Delegation (KCD)

Kerberos Constrained Delegation, or KCD, is the more secure, modern approach to delegation. Delegation is explicitly configured to a specific list of target services. A service is configured with the setting Trust this computer for delegation to specified services only.

The process for KCD is more controlled. The front-end service receives a user’s authentication and their TGT. It then sends a request to the Key Distribution Center’s Ticket-Granting Service (TGS), but this time, the TGS validates that the delegation is explicitly allowed for the specified target service. If allowed, the TGS issues a new service ticket for the user to the target service. The front-end service then uses this new ticket to access the back-end.

Resource-Based Constrained Delegation (RBCD)

Resource-Based Constrained Delegation, or RBCD, is the most recent and secure form of delegation. Instead of configuring delegation on the delegating service, it is configured on the target resource. The target service—for example, the database server—is configured with a list of front-end services that are allowed to delegate to it. This provides granular control and simplifies delegation across different domains and forests.

How to Modernize Your AD Instance

The IT Professional’s Roadmap to Augmenting or Replacing AD

Download Today

Troubleshooting and Considerations

Misconfigurations in Kerberos delegation can lead to application failures and significant security vulnerabilities. Proper management requires attention to several key areas.

• SPN Issues: The most common failure point for delegation is an incorrect or missing SPN. The Kerberos Key Distribution Center (KDC) uses the SPN to locate the correct service account and cannot issue a service ticket without it.
• Privilege Escalation: Unconstrained delegation is a highly sought-after misconfiguration for attackers. A low-privilege service account with unconstrained delegation can be used to escalate privileges to a domain administrator if a privileged user authenticates to it.
• Security Best Practices: Due to the inherent risks, unconstrained delegation should be avoided wherever possible. KCD and especially RBCD are the recommended methods, as they follow the principle of least privilege by restricting delegation to only the services that absolutely require it.

Key Terms Appendix

• Kerberos Delegation: A feature that allows a service to impersonate a user to access other services.
• Unconstrained Delegation: An insecure form of delegation where a service can request tickets for any other service.
• Constrained Delegation (KCD): A more secure form of delegation that restricts the services that can be delegated to.
• Resource-Based Constrained Delegation (RBCD): The newest form of delegation, configured on the target resource.
• Service Principal Name (SPN): A unique identifier for a service.
• Ticket-Granting Ticket (TGT): The master ticket that is sometimes delegated.