Skip to content
IAM Day by Day

Kerberos Delegation

Scaling Trust Across the Tiers

Section titled “Scaling Trust Across the Tiers”

Kerberos Delegation is the advanced architectural capability that allows a front-end service (like a Web Server) to impersonate a user when making requests to a back-end resource (like a Database). In a multi-tier enterprise environment, the database needs to know the true identity of the user to enforce data-level permissions, but the user only talks directly to the web server. Delegation provides the cryptographic “Power of Attorney” required to forward the user’s identity signals across these architectural boundaries. By utilizing modern Constrained Delegation and Resource-Based Constrained Delegation, organizations can enable complex, multi-service workflows while strictly limiting the “Blast Radius” of a service account compromise.

DELEGATION

Identity Proxy
Core Mission
Sovereign Identity Continuity. Maintaining the user's security context across multiple asynchronous network hops, ensuring that the final resource can verify the original requester.
Like a Security Power of Attorney: Imagine you (The User) are a world leader. You have an assistant (The Web Server) who handles your errands. When you need to withdraw money from your private vault (The Database), you don't go yourself. You sign a specialized, time-limited document (A Delegated Ticket) that gives your assistant the "Power of Attorney" to act on your behalf, but *only* at that specific bank and *only* for that specific transaction. The bank accepts the assistant because they see your official seal and the specific constraints you've added to the document.
Multi-tier Web Apps / Linked SQL Servers / Distributed Identity

The Delegation Strategic Matrix

Section titled “The Delegation Strategic Matrix”

Selecting the right delegation model is a critical security decision that determines the level of risk and administrative oversight.

Strategic Delegation Profiles

Section titled “Strategic Delegation Profiles”
ModelMechanismStrategic RiskBest For
UnconstrainedForwarding the TGT.Highest (Full impersonation).Not Recommended.
Constrained (KCD)Pre-defined SPN list.Low (Scoped to services).Managed AD environments.
Resource-BasedSP handles permissions.Lowest (Decentralized).Cross-domain / Modern AD.
S4U2Self / ProxyService-to-service.Managed.Protocol Transition (OIDC to Kerb).

The Delegation Journey

Section titled “The Delegation Journey”

Multi-tier delegation involves a sophisticated coordinate dance between the client, the middle-tier service, and the KDC.

sequenceDiagram
    participant User
    participant Web as Web Server (S1)
    participant KDC as Key Distrib Center
    participant DB as Database (S2)
    
    User->>Web: AP-REQ (User Auth to Web)
    Web->>KDC: TGS-REQ (Request ticket for DB as User)
    KDC-->>Web: TGS-REP (Delegated Ticket for DB)
    Web->>DB: AP-REQ (Present Delegated Ticket)
    DB-->>Web: Grant Access to User's Data
1

Authenticate & Consent

The user authenticates to the front-end web server. For delegation to work, the user's ticket must have the `FORWARDABLE` flag set, indicating that they consent to their identity being used on other authorized services within the domain.

2

Exchange & Constrain

The web server takes the user's proof of identity and asks the KDC for a specific service ticket for the target database (**TGS-REQ**). In a "Constrained" environment, the KDC verified that the web server is explicitly permitted to impersonate users on that specific database SPN.

3

Impersonate & Access

The web server presents the delegated ticket to the database. The database verifies the ticket and sees the original user's identity (the Principal). It then applies the user's specific Row-Level Security (RLS) or permissions to the query, providing a seamless "End-to-End" identity flow.

Technical Delegation Implementation

Section titled “Technical Delegation Implementation”

Configuring constrained delegation requires precise SPN mapping and service account attributes in Active Directory.

Resource-Based Constrained Delegation (PowerShell Example)

Section titled “Resource-Based Constrained Delegation (PowerShell Example)”
Terminal window
# Allowing a specific Web Server to impersonate users on a Database Server
$WebServer = Get-ADComputer -Identity "WEB-SRV-01"
$DatabaseServer = Get-ADComputer -Identity "SQL-DB-01"


# Set the 'PrincipalsAllowedToDelegateToAccount' attribute on the target
Set-ADComputer -Identity $DatabaseServer -PrincipalsAllowedToDelegateToAccount $WebServer

Kerberos Implementation Guides

Section titled “Kerberos Implementation Guides”

Master the technical mechanics of ticket-based security and enterprise domain architecture.

Kerberos Overview

Strategic foundational principles for ticket-based authentication and security.

Authentication Flow

How the multi-step TGT and ST exchange provides the foundation for delegated identity.

Ticket Anatomy

Understanding the internal flags (Forwardable, Proxiable) that enable delegation ceremonies.

API Authorization

Strategic patterns for modernizing delegated credentials in REST and Microservice meshes.

Next Steps

Section titled “Next Steps”