Kerberos Delegation and Abuse Cases


Kerberos Delegation allows to reuse the end-user credentials to access the resources hosted on a different server. ex. user authenticates to a web server and web server makes requests to a database server. The web server can request access to resources (all or some resources depending on the type of delegation) on the database server as the user and not as the web server's service account.


There are three types of Kerberos Delegation: