Module 8 · Kerberos Delegation Abuse

Manish Garg
Manish Garg Associate of (ISC)² · RingSafe
Apr 22, 2026
4 min read
Read as

Last updated: April 29, 2026

Unconstrained, constrained, RBCD. S4U2Self + S4U2Proxy, MachineAccountQuota, PetitPotam coercion.

Kerberos delegation lets a service act on behalf of a user when talking to another service. Web frontend authenticates user; web frontend needs to query backend DB as that user; delegation lets this work without the user directly authenticating to the DB. It’s a useful feature. It’s also one of the most abused paths to Domain Admin in modern engagements.

The three delegation types

  • Unconstrained: service can act as user for ANY other service. Attacker who compromises an unconstrained-delegation server gets TGT of every user who authenticates to it.
  • Constrained: service can act as user for SPECIFIC other services. Abuse via S4U2Self + S4U2Proxy chain.
  • Resource-Based Constrained Delegation (RBCD): introduced 2012. Target resource specifies which accounts can delegate to it. Changed the attack surface significantly.
Want this for your team?

Custom team training + practitioner advisory

Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.

Book team training call Replies in 4 working hrs · India-only · Senior consultants
← Previous · Module 7
Module 7 · Trusts — Legacy Merger Paths
← Back to Academy Hub
Continue Learning

Other modules in this track

View all modules
Academy
Module 1 · Beginner

AD's defaults accumulated risk for 20 years — authenticated-read-everything, NTLM, RC4, backwards compat.

Apr 22, 2026 · 4 min read
Academy
Module 2 · Intermediate

BloodHound, SharpHound, Impacket, CrackMapExec, PowerView. Any authenticated user sees the whole directory.

Apr 22, 2026 · 5 min read
Academy
Module 3 · Intermediate

Edges, queries, custom Cypher. Why BloodHound changed offensive AD since 2017.

Apr 22, 2026 · 5 min read