标签:prot services decide UNC intro nis min forward user
Just like the name. Delegation is that a server pretend to behalf a user and to authenticate with kerberos protocol.There are three kinds of delegations.
| Kinds of Delegations | Limitions | Protocol | Note |
|---|---|---|---|
| Unconstrained Delegation | None | Just forward the TGT ticket which is able to be forwarded | None |
| Constrained Delegation | Front-End Server decide which Back-End service can receive delegation | 1.S4U2Proxy -> Forward the TGT ticket 2.S4U2Self -> Receive information of NTLM Authencation(Username&NTLM-Hash) And use that to get TGT from KDC |
AD administrator account |
| Resource-Based Constrained Delegation | Back-End Services decide which Front-End service‘s delegation can be received | The same as Constrained Delegation | 1.S4U2Proxy -> Can Forward TGT ticket which is not to be able to forwarded. 2.You can use this cross the domain. 3.Service administrator account |
A simple introduction to Three kinds of Delegation of Kerberos
标签:prot services decide UNC intro nis min forward user
原文地址:https://www.cnblogs.com/KevinGeorge/p/11041482.html
