1.What is Delegation?


Just like the name. Delegation is that a server pretend to behalf of a user and to authenticate with kerberos protocol.There are three kinds of delegations.

Kinds of Delegations Limitions Protocol Note
Unconstrained Delegation None Just forward the TGT ticket which is able to be forwarded None
Constrained Delegation Front-End Server decide which Back-End service can receive delegation 1.S4U2Proxy -> Forward the TGT ticket
2.S4U2Self -> Receive information of NTLM Authentication(Username&NTLM-Hash) And use that to get TGT and send TGT and receive TGS from KDC
AD administrator account
Resource-Based Constrained Delegation Back-End Services decide which Front-End service's delegation can be received The same as Constrained Delegation 1.S4U2Proxy -> Can Forward TGT ticket which is not to be able to forwarded.
2.You can use this cross the domain.
3.Service administrator account

2.Unconstrained Delegation


Unconstrained Delegation: ServerA can authenticate to any server in this domain behalf of user with TGT2. It is too dangerous.

3.Constrained Delegation


Only S4U2Proxy is what we need, if user use kerberos ticket to authenticate. Otherwise we need both S4U2Self and S4U2Proxy if user use NTLM hash to authenticate. In this condition, AD administrators can configure which service(SPNs) can receive ServerA’s delegation in ServerA's msDC-AllowedToDelegateTo property.

4.Resource-Based Constrained Delegation


There is one important difference between Constrained Delegation and Resource-Based Constrained Delegation. In Constrained Delegation, administrators of AD can configure which service can receive ServerA's delegation in their msDS-AllowedToActOnBehalfOfOtherIdentity properties. However, In Resource-Based Constrained Delegation, administrators of services can decide if those service will receive the ServerA's delegation or not. And it should be configured on the computers which is running those services. Do you think Resource-Based Constrained Delegation is much more safe than Constrained Delegation? No, Resource-Based Constrained Delegation has a big problem. In this condition, S4U2Proxy can forward unforwardable TGT and KDC will return TGS back. So if we could get the TGT which is not able to forward, We also could use it to do something bad.

5. What we can do to make it a little more safe?


** We can do a lot of things to make it more safe. Plus, the first one is to configure like this.**

A simple introduction to Three kinds of Delegation of Kerberos的更多相关文章

  1. A Simple Introduction To Computer Networking

    Most networking discussions are a jumble of acronyms. Forget the configuration details - what are th ...

  2. The Most Simple Introduction to Hypothesis Testing

    https://www.youtube.com/watch?v=UApFKiK4Hi8

  3. 转:Simple Introduction to Dirichlet Process

    来源:http://hi.baidu.com/vyfrcemnsnbgxyd/item/2f10ecc3fc35597dced4f88b Dirichlet Process(DP)是一个很重要的统计模 ...

  4. An Introduction to Variational Methods (5.1)

    在这篇文章中,我引用Bishop书中的一个例子,来简单介绍一下Variational Methods的应用.想要更详细地理解这个例子,可以参考Bishop的书Pattern Recongnition ...

  5. 深度强化学习(Deep Reinforcement Learning)入门:RL base & DQN-DDPG-A3C introduction

    转自https://zhuanlan.zhihu.com/p/25239682 过去的一段时间在深度强化学习领域投入了不少精力,工作中也在应用DRL解决业务问题.子曰:温故而知新,在进一步深入研究和应 ...

  6. ML Lecture 0-1: Introduction of Machine Learning

    本博客是针对李宏毅教授在Youtube上上传的课程视频<ML Lecture 0-1: Introduction of Machine Learning>的学习笔记.在Github上也po ...

  7. CI Weekly #6 | 再谈 Docker / CI / CD 实践经验

    CI Weekly 围绕『 软件工程效率提升』 进行一系列技术内容分享,包括国内外持续集成.持续交付,持续部署.自动化测试. DevOps 等实践教程.工具与资源,以及一些工程师文化相关的程序员 Ti ...

  8. 理解callback function in javascript

    以下内容主要摘自[1,2] (1)In javascript, functions are first-class objects, which means functions can be used ...

  9. Discovering the Computer Science Behind Postgres Indexes

    This is the last in a series of Postgres posts that Pat Shaughnessy wrote based on his presentation ...

随机推荐

  1. JUnit 4 和 TestNG

    JUnit 4和TestNG都是Java中非常受欢迎的单元测试框架.两种框架在功能上看起来非常相似.哪一个更好?在Java项目中应该使用哪个单元测试框架? 下面表中概括了JUnit 4和TestNG之 ...

  2. 【Spring Data JPA篇】项目环境搭建(一)

    项目环境: spring4.1.6 hibernate4.3.11 spring-data-jpa1.9.0 1. 创建一个Java Project,将jar导入到lib目录下 #spring spr ...

  3. LG1640 「SCOI2010」连续攻击游戏 二分图最大匹配

    问题描述 LG1640 题解 一开始以为是把\((a,b)\)作为左右部点,发现\(n \le 1000000\),建图是\(O(n^2)\)的,会爆掉 属性值向\(i\)建边. \(\mathrm{ ...

  4. <Tree.PreOrder> DFS 113, 129

    113. Path Sum II 利用DFS的三要素, 出口1,出口2,拆解,记得回溯的时候要回退一位path. class Solution { public List<List<Int ...

  5. 【K短路】牛慢跑

    牛慢跑 据说是\(k\)短路模板,要用\(A^*\),然而我不会.我是用拓扑排序加堆优化广搜水过去的.第一道完全靠自己做出来的紫题,调了两个小时,交了两遍.果然我还是太菜了. 正解的话,可以看红太阳的 ...

  6. SPOJ31428 FIBONOMIAL(斐波那契数列)

    神鱼推题,必是好题. 前几天刚做过[BJOI2019]勘破神机,于是就会这题了.(BJ人民强啊……%鱼) 首先要求是 $$\sum\limits_{i=0}^nx^if_i$$ 应该很明显能想到把 $ ...

  7. wifidog 用户第一次访问网络流程图

    通过wifidog实现用户上网强制认证后,用户第一次访问网络的流程大致如下: 1.用户通过浏览器访问某一网页. 2.wifidog重定向用户请求到认证服务器. 3.认证服务器返回登录认证页面给用户. ...

  8. java 多行注释

    public class Sample { public static void main(String[] args) { // java compiler ignores the comment ...

  9. Oracle--SMON

    一,SMON功能 a) 系统监控管理,定期合并空闲,回收临时段: b) 做实例的恢复:前滚.回滚.释放资源 二,SMON什么时候做恢复? 数据修改随时发生,但是数据同步定期做:所以会产生脏块(灰块), ...

  10. leetcode 674. 最长连续递增序列

    1. 题目 给定一个未经排序的整数数组,找到最长且连续的的递增序列. 示例 1: 输入: [1,3,5,4,7] 输出: 3 解释: 最长连续递增序列是 [1,3,5], 长度为3. 尽管 [1,3, ...