1.What is Delegation?

Just like the name. Delegation is that a server pretend to behalf of a user and to authenticate with kerberos protocol.There are three kinds of delegations.

Kinds of Delegations Limitions Protocol Note
Unconstrained Delegation None Just forward the TGT ticket which is able to be forwarded None
Constrained Delegation Front-End Server decide which Back-End service can receive delegation 1.S4U2Proxy -> Forward the TGT ticket
2.S4U2Self -> Receive information of NTLM Authentication(Username&NTLM-Hash) And use that to get TGT and send TGT and receive TGS from KDC		 AD administrator account
Resource-Based Constrained Delegation Back-End Services decide which Front-End service's delegation can be received The same as Constrained Delegation 1.S4U2Proxy -> Can Forward TGT ticket which is not to be able to forwarded.
2.You can use this cross the domain.
3.Service administrator account

2.Unconstrained Delegation

Unconstrained Delegation: ServerA can authenticate to any server in this domain behalf of user with TGT2. It is too dangerous.

3.Constrained Delegation

Only S4U2Proxy is what we need, if user use kerberos ticket to authenticate. Otherwise we need both S4U2Self and S4U2Proxy if user use NTLM hash to authenticate. In this condition, AD administrators can configure which service(SPNs) can receive ServerA’s delegation in ServerA's msDC-AllowedToDelegateTo property.

4.Resource-Based Constrained Delegation

There is one important difference between Constrained Delegation and Resource-Based Constrained Delegation. In Constrained Delegation, administrators of AD can configure which service can receive ServerA's delegation in their msDS-AllowedToActOnBehalfOfOtherIdentity properties. However, In Resource-Based Constrained Delegation, administrators of services can decide if those service will receive the ServerA's delegation or not. And it should be configured on the computers which is running those services. Do you think Resource-Based Constrained Delegation is much more safe than Constrained Delegation? No, Resource-Based Constrained Delegation has a big problem. In this condition, S4U2Proxy can forward unforwardable TGT and KDC will return TGS back. So if we could get the TGT which is not able to forward, We also could use it to do something bad.

5. What we can do to make it a little more safe?

** We can do a lot of things to make it more safe. Plus, the first one is to configure like this.**

A simple introduction to Three kinds of Delegation of Kerberos的更多相关文章

  1. A Simple Introduction To Computer Networking

    Most networking discussions are a jumble of acronyms. Forget the configuration details - what are th ...

  2. The Most Simple Introduction to Hypothesis Testing

    https://www.youtube.com/watch?v=UApFKiK4Hi8

  3. 转:Simple Introduction to Dirichlet Process

    来源:http://hi.baidu.com/vyfrcemnsnbgxyd/item/2f10ecc3fc35597dced4f88b Dirichlet Process(DP)是一个很重要的统计模 ...

  4. An Introduction to Variational Methods (5.1)

    在这篇文章中,我引用Bishop书中的一个例子,来简单介绍一下Variational Methods的应用.想要更详细地理解这个例子,可以参考Bishop的书Pattern Recongnition ...

  5. 深度强化学习(Deep Reinforcement Learning)入门:RL base & DQN-DDPG-A3C introduction

    转自https://zhuanlan.zhihu.com/p/25239682 过去的一段时间在深度强化学习领域投入了不少精力,工作中也在应用DRL解决业务问题.子曰:温故而知新,在进一步深入研究和应 ...

  6. ML Lecture 0-1: Introduction of Machine Learning

    本博客是针对李宏毅教授在Youtube上上传的课程视频<ML Lecture 0-1: Introduction of Machine Learning>的学习笔记.在Github上也po ...

  7. CI Weekly #6 | 再谈 Docker / CI / CD 实践经验

    CI Weekly 围绕『 软件工程效率提升』 进行一系列技术内容分享,包括国内外持续集成.持续交付,持续部署.自动化测试. DevOps 等实践教程.工具与资源,以及一些工程师文化相关的程序员 Ti ...

  8. 理解callback function in javascript

    以下内容主要摘自[1,2] (1)In javascript, functions are first-class objects, which means functions can be used ...

  9. Discovering the Computer Science Behind Postgres Indexes

    This is the last in a series of Postgres posts that Pat Shaughnessy wrote based on his presentation ...

随机推荐

  1. 安装_升级Eclipse插件

    在线安装_升级Eclipse插件可以保证插件的完整性,并可自由选择最新版本.1.单击Eclipse的Help菜单,选择"Install New Software"菜单项2.单击&q ...

  2. zz先睹为快:神经网络顶会ICLR 2019论文热点分析

    先睹为快:神经网络顶会ICLR 2019论文热点分析 - lqfarmer的文章 - 知乎 https://zhuanlan.zhihu.com/p/53011934 作者:lqfarmer链接:ht ...

  3. 7.29 NOIP模拟测试10 辣鸡(ljh)+模板(ac)+大佬(kat)

    T1 辣鸡(ljh) 就是一道分类讨论的暴搜,外加一丢丢的减枝,然而我挂了,为啥呢,分类讨论变量名打错,大于小于号打反,能对才怪,写了sort为了调试就注释了,后来忘了解开,小减枝也没打.但是这道题做 ...

  4. Web协议详解与抓包实战:HTTP1协议-HTTP 响应行(3)

    一.HTTP 响应行 二.响应码分类:1xx 三.响应码分类: 2xx 1. 201 Created: 有新资源在服务器端被成功创建 2.207 Multi-Status:RFC4918 ,在 WEB ...

  5. [LeetCode] 116. Populating Next Right Pointers in Each Node 每个节点的右向指针

    You are given a perfect binary tree where all leaves are on the same level, and every parent has two ...

  6. API加密框架原理解密

    关于框架的使用文章请参考: 前后端API交互如何保证数据安全性?:http://cxytiandi.com/blog/detail/20235 API数据加密框架monkey-api-encrypt: ...

  7. mtd-utils编译安装过程

    git clone git://git.infradead.org/mtd-utils.git cd mtd-utils apt install -y libssl-dev libzlb libzst ...

  8. SpringBoot集成Spring Security(1)——入门程序

    因为项目需要,第一次接触 Spring Security,早就听闻 Spring Security 功能强大但上手困难,学习了几天出入门道,特整理这篇文章希望能让后来者少踩一点坑(本文附带实例程序,请 ...

  9. classLoader双亲委托与类加载隔离

    虽然前面把class文件的产生到加载使用流程说了一遍,但是还是想具体看看classLoader的双亲委托具体是如何运行的,有什么利弊. 还有想看看不同类加载器的不同命名空间带来那些好处和实际有那些应用 ...

  10. jmeter和ab的对比

    压测比较常用的工具:ab,webbench,jmeter ab和webbench作为shell模式下轻量级的测试工具,ab比webbench功能更多一些 jmeter作为有GUI界面的更高级测试工具 ...