Constrained delegation is a safer way to perform Kerberos delegation. In contrast to unconstrained delegation, constrained delegation restricts the services to which the server an act on behalf of a user. This means that the server can be configured to only present delegated credentials to the database server, instead of any other arbitrary service.
# Enumerating with PowerView
Get-DomainComputer -TrustedToAuth -Properties DnsHostName, MSDS-AllowedToDelegateTo
# Enumerating with BloodHound
MATCH (c:Computer), (t:Computer), p=((c)-[:AllowedToDelegate]->(t)) RETURN p
- When enumerating constrained delegation, enumerating the service type is extremely important. For exampke, enumerating
means that we are able to execute PsExec against the host as well as upload and/or download files.
{% embed url="" %}
{% embed url="" %}