Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2019-05-27) (Un)Constrained Kerberos Delegation

Posted by Jorge on 2019-05-26


Within Windows Server Kerberos Delegation can be used to, for example, access data in a SQL database by a front-end service on behalf of the user accessing the front-end service.

The flow then looks like: USER (U)  —— access—-> FRONT-END SERVICE (FE) —— access on behalf of “U”—-> DATA (D).

While U accesses FE, FE then needs to access D on behalf of U. The “on behalf of” part is achieved through Kerberos Delegation.

When looking at Kerberos Delegation there are three flavors that can be used

  1. Unconstrained Kerberos Delegation
  2. Constrained Kerberos Delegation
  3. Resource-Based Kerberos Delegation

[ad.1] Unconstrained Kerberos Delegation

This is available in since Windows Server 2000 up to the latest and greatest version of Windows available today. It is VERY INSECURE, therefore avoid this if possible! Why is it insecure? Well, with UNconstrained Kerberos Delegation, the FE, when configured for Unconstrained Kerberos Delegation, is allowed to access ANY service without restrictions, and not just D. You could also call this “Account-Based Unconstrained Kerberos Delegation”

Imagine a bank vault (the “D”) and many other bank vaults and a bank clerk (the “FE”). The bank clerk is configured to access any access any bank vault on behalf of clients, but the bank clerk should really only access one specific bank vault (“D”) on behalf of clients. Yeah right! Better yet, the owner of the bank vaults do not have anything to say about this. Just shut up and allow access!

Read more about it:

[ad.2] Constrained Kerberos Delegation

This is available in since Windows Server 2003 (with FFL W2K3) up to the latest and greatest version of Windows available today. It is a better option than the previous option, so if you cannot implement the next option, then at least try this option! With Constrained Kerberos Delegation, the FE, when configured for Constrained Kerberos Delegation, is ONLY allowed to access specific services (e.g. only “D”) for which it has been configured to do so and not any service. You could also call this “Account-Based Constrained Kerberos Delegation”

Imagine a bank vault (the “D”) and many other bank vaults and a bank clerk (the “FE”). The bank clerk is configured to access only the specific bank vault (“D”) on behalf of clients. Other bank vaults cannot be accessed on behalf of clients. Sounds better, but the owner of that specific bank vaults still does not have anything to say about this. Just shut up and allow access!

Read more about it:

[ad.3] Resource-Based Kerberos Delegation

This is available in since Windows Server 2012 up to the latest and greatest version of Windows available today. This is the best option when compared to the previous 2 options. This does require the complete service chain (FE, D, AD domain for FE, AD domain for D and any domain in between) to run at least Windows Server 2012. With regards to AD domains, at least one Windows Server 2012 DC is needed and there are no dependencies on DFLs/FFLs. Guess what?! This is by default constrained, therefore no need to mention the word “Constrained”, otherwise it is the same as saying “wet water”! With “Resource-Based Kerberos Delegation”, the D, when configured for Resource-Based Kerberos Delegation, is ONLY allowing access by specific services (e.g. only “FE”).

Imagine a bank vault (the “D”) and many other bank vaults and a bank clerk (the “FE”). A specific bank vault (“D”) is configured by its owner to only allow access by the bank clerk (the “FE”) on behalf of clients. Sounds even better!

Read more about it:

With both “Unconstrained Kerberos Delegation” and “Constrained Kerberos Delegation”, delegation is configured at delegated account level (hence: “Account-Based (Un)Constrained Kerberos Delegation”), and not at resource level, which is weird! Looking at ACLs in all kinds of services (file, sql, AD, etc.), permissions are configured at resource level, as it should be! This changes in “Resource-Based Constrained Delegation”, which is my preferred way of delegation!

Additional Reading:

Enjoy and have fun!,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

 
%d bloggers like this: