1.What is Delegation?

Just like the name. Delegation is that a server pretend to behalf of a user and to authenticate with kerberos protocol.There are three kinds of delegations.

Kinds of Delegations Limitions Protocol Note
Unconstrained Delegation None Just forward the TGT ticket which is able to be forwarded None
Constrained Delegation Front-End Server decide which Back-End service can receive delegation 1.S4U2Proxy -> Forward the TGT ticket
2.S4U2Self -> Receive information of NTLM Authentication(Username&NTLM-Hash) And use that to get TGT and send TGT and receive TGS from KDC		 AD administrator account
Resource-Based Constrained Delegation Back-End Services decide which Front-End service's delegation can be received The same as Constrained Delegation 1.S4U2Proxy -> Can Forward TGT ticket which is not to be able to forwarded.
2.You can use this cross the domain.
3.Service administrator account

2.Unconstrained Delegation

Unconstrained Delegation: ServerA can authenticate to any server in this domain behalf of user with TGT2. It is too dangerous.

3.Constrained Delegation

Only S4U2Proxy is what we need, if user use kerberos ticket to authenticate. Otherwise we need both S4U2Self and S4U2Proxy if user use NTLM hash to authenticate. In this condition, AD administrators can configure which service(SPNs) can receive ServerA’s delegation in ServerA's msDC-AllowedToDelegateTo property.

4.Resource-Based Constrained Delegation

There is one important difference between Constrained Delegation and Resource-Based Constrained Delegation. In Constrained Delegation, administrators of AD can configure which service can receive ServerA's delegation in their msDS-AllowedToActOnBehalfOfOtherIdentity properties. However, In Resource-Based Constrained Delegation, administrators of services can decide if those service will receive the ServerA's delegation or not. And it should be configured on the computers which is running those services. Do you think Resource-Based Constrained Delegation is much more safe than Constrained Delegation? No, Resource-Based Constrained Delegation has a big problem. In this condition, S4U2Proxy can forward unforwardable TGT and KDC will return TGS back. So if we could get the TGT which is not able to forward, We also could use it to do something bad.

5. What we can do to make it a little more safe?

** We can do a lot of things to make it more safe. Plus, the first one is to configure like this.**

A simple introduction to Three kinds of Delegation of Kerberos的更多相关文章

  1. A Simple Introduction To Computer Networking

    Most networking discussions are a jumble of acronyms. Forget the configuration details - what are th ...

  2. The Most Simple Introduction to Hypothesis Testing

    https://www.youtube.com/watch?v=UApFKiK4Hi8

  3. 转:Simple Introduction to Dirichlet Process

    来源:http://hi.baidu.com/vyfrcemnsnbgxyd/item/2f10ecc3fc35597dced4f88b Dirichlet Process(DP)是一个很重要的统计模 ...

  4. An Introduction to Variational Methods (5.1)

    在这篇文章中,我引用Bishop书中的一个例子,来简单介绍一下Variational Methods的应用.想要更详细地理解这个例子,可以参考Bishop的书Pattern Recongnition ...

  5. 深度强化学习(Deep Reinforcement Learning)入门:RL base & DQN-DDPG-A3C introduction

    转自https://zhuanlan.zhihu.com/p/25239682 过去的一段时间在深度强化学习领域投入了不少精力,工作中也在应用DRL解决业务问题.子曰:温故而知新,在进一步深入研究和应 ...

  6. ML Lecture 0-1: Introduction of Machine Learning

    本博客是针对李宏毅教授在Youtube上上传的课程视频<ML Lecture 0-1: Introduction of Machine Learning>的学习笔记.在Github上也po ...

  7. CI Weekly #6 | 再谈 Docker / CI / CD 实践经验

    CI Weekly 围绕『 软件工程效率提升』 进行一系列技术内容分享,包括国内外持续集成.持续交付,持续部署.自动化测试. DevOps 等实践教程.工具与资源,以及一些工程师文化相关的程序员 Ti ...

  8. 理解callback function in javascript

    以下内容主要摘自[1,2] (1)In javascript, functions are first-class objects, which means functions can be used ...

  9. Discovering the Computer Science Behind Postgres Indexes

    This is the last in a series of Postgres posts that Pat Shaughnessy wrote based on his presentation ...

随机推荐

  1. 如何用node编写命令行工具,附上一个ginit示例,并推荐好用的命令行工具

    原文 手把手教你写一个 Node.js CLI 强大的 Node.js 除了能写传统的 Web 应用,其实还有更广泛的用途.微服务.REST API.各种工具……甚至还能开发物联网和桌面应用.Java ...

  2. django的几个常见命令、request请求取值形式、数据库连接、

    django基础知识薄弱点 几个常见的命令 #创建django项目 django-admin startproject mysite #启动django项目 python manage.py runs ...

  3. USACO Balanced Lineup

    poj 3264 http://poj.org/problem?id=3264 洛谷 P2880 https://www.luogu.org/problemnew/show/P2880 题目描述 Fo ...

  4. LG2272/BZOJ1093 「ZJOI2007」最大半连通子图 Tarjan缩点+DAG求最长链

    问题描述 LG2272 BZOJ1093 题解 观察半联通的定义,发现图中的一些结点,构成的链一定是一个半联通子图. 此时存在的环可能会干扰求解,于是\(\mathrm{Tarjan}\)缩点. 于是 ...

  5. ASP.NET Core 中的 依赖注入介绍

    ASP.NET Core 依赖注入 HomeController public class HomeController : Controller { private IStudentReposito ...

  6. vins_fusion学习笔记

    Vins-Fusion源码:https://github.com/HKUST-Aerial-Robotics/VINS-Fusion 摘要 应项目需要,侧重学习stereo+gps融合 转载几篇写的比 ...

  7. 【MySQL】Mariadb字符集

    Mariadb字符集 如果不设置字符集,可以查看mariadb的字符集的默认设置是latin1. 如下命令,查看Mariadb的默认配置: [root@oradb ~]# /usr/local/mys ...

  8. CentOS7. 6 上部署MongoDB

    *安装步骤** 配置yum源 vim /etc/yum.repos.d/mongodb-org-4.0.repo #添加以下内容: [mongodb-org-4.0] name=MongoDB Rep ...

  9. Java8 LocalDateTime和Date相互转换

    很想要用Java的时间api,但有时候还是需要转换为Date. 二者的相互转换并不是一步到位那么简单,所以,还是需要记录一下转换的api Date to LocalDateTime Date toda ...

  10. WPF XAML Trigger中使用动画后 动画对象冻结的处理办法

    在编写XAML时 在Trigger中使用动画,在动画之后,动画对象就会被冻结,无法被其他动画或者属性改变. 处理办法有: 1 使用附加属性来添加动画 public static readonly De ...