No signup. No paywall. No catch.One of our 10 most-requested practitioner modules — published in full so anyone can learn for free. We earn through consulting, not by gating knowledge.
Why this module exists. Kerberos delegation is one of the most-misunderstood AD features and one of the most-abused. Three flavours, all dangerous when misconfigured: Unconstrained (legacy, terrifying), Constrained (better, still bad), and Resource-Based Constrained Delegation (the new one, with its own attack class).
Why this module exists. Kerberos delegation is one of the most-misunderstood AD features and one of the most-abused. Three flavours, all dangerous when misconfigured: Unconstrained (legacy, terrifying), Constrained (better, still bad), and Resource-Based Constrained Delegation (the new one, with its own attack class). Every red team checks all three.
Why delegation exists
Tiered apps need to act on behalf of users. Web server gets request from Alice → web server queries SQL backend → SQL backend should know “Alice is asking” not “the web server is asking”. Without delegation, the web server would need Alice’s password.
Delegation gives the web server’s account the right to request tickets for other users, scoped (or unscoped, depending on flavour) to specific services.
Want this for your team?
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.
