Architect’s Breakdown: Kerberos Delegation Misconfigurations — Hidden Risks in Enterprise Identity

Overview

Kerberos is the primary authentication mechanism in modern Windows enterprise environments. It provides strong, ticket-based authentication and mutual verification between clients and services.

However, Kerberos also introduces a powerful feature—delegation—that allows services to act on behalf of users. While necessary for multi-tier applications, delegation frequently becomes a source of misconfiguration and unintended trust expansion.

In practice, these misconfigurations can lead to lateral movement, privilege escalation, and unauthorized access, often without triggering obvious security alerts.

Technical Root Cause

Kerberos operates through a Key Distribution Center (KDC), issuing:

  • TGT (Ticket Granting Ticket) → establishes identity
  • Service Tickets (TGS) → grant access to specific services

Kerberos Ticket Flow

https://images.openai.com/static-rsc-4/e_Bo9z5Yg35j8x6FTUT0SanT9ma30NKaf_IoCSDlQZT6NXiAq2DQHweg7mzYpUDw_Zwv0aGF-R5GFd_jfwf2Bja3P8e8idwpvO_wBPP4kAK3JMLErJQRx5Y22zPQUl5_ac6Pfq5d0oJ3YUqWWgq1nq4HDPBr_DTT7DfAKSok9FdElgitwBb0AsKvFJg9yrC-?purpose=fullsize
https://images.openai.com/static-rsc-4/Jw_1jgHZB8OvWwAZMdnzUJHwN9gOQ2XGwmkfAza7jTqAKXlj039xj6taypQd_jHwK1AaQDSG7q_CdyD0mrROTIM4vdv7rsTrQMfqALwiYw0_eplgyeSlByorWSC1RnF7a_cFu98W-EOY5wt1K-d5TvlSRRnW8TAhpGjem2WaL4SZUNtsKm0h5C5BA5BHyTnm?purpose=fullsize
https://images.openai.com/static-rsc-4/iflgMsX3RYf1qJEQO-cTBztKPG9FqfFmKhxbWHemXOyj6bNXneBfdq5DUWqHHglV_V1o3Fi6lVOxJ-3edEIiEYZ9aDbMTgffk-AgpVM1cL68ruZFkLE3r4udaPje7TDDIqGXrx8SvzhKZEhOdKt_6XG8MQLVeDRhVt4kukECvEEIHcjRiVqFJ7OK5owZBPAO?purpose=fullsize

Client → KDC (AS) → TGT issued
Client → KDC (TGS) → Service ticket issued
Client → Service → Access granted

Delegation extends this model by allowing a service to request additional service tickets on behalf of the user.

There are three common delegation models:

  • Unconstrained Delegation → access to any service; stores user TGT
  • Constrained Delegation (KCD) → limited to specific services
  • Resource-Based Constrained Delegation (RBCD) → controlled by target system

The underlying issue is:

Delegation expands trust beyond the original authentication boundary

Attack Flow (High-Level)

https://images.openai.com/static-rsc-4/eKMkFEIEvjb-jOuoY1KcUtRRaRPjH0ILy482qFteeAH-YEXPWSNu_hou9z45ryLuURHXQgmhz6LcQvp6ymQ7zrx9TVvkhKeBZ1WVtgKZY7JlkxVC2XV6ZWgIoKmcMxch3aI2a4M8GQU2xBHtMGmhuASerLVVwQyD5-XEH1xoTJZ2jndTKk9PlPEM6NYn5f65?purpose=fullsize
https://images.openai.com/static-rsc-4/UARqdYFj0n9K0_WLWmxmLYLa75maWU5-G3oETOnxgMeQ-FXCeDQ9xIn3EW6BnA8fPdMWeoQMd1XlRukF8NFgo6dhVtN7sNi4NaBXUTUeoDa9dRIezqdrh-KgZ6_4JngxrG0yl6VpzfUXUeTsFHK1zPeJDRKeqKrNsoF06rOcIVVicMepioq5j9izPghOC97x?purpose=fullsize
https://images.openai.com/static-rsc-4/DlK-dvcAfJdAOtTLN_s5MHZ4fRVBertHjoU1y2jjqGvMDUubQttM0Pj57mEvIsyWKkoQwxxFf0aVv8WsCd_b3dzt2NJEqp5fgfMUSGZF6nRMhZSQXnQKm9d00VH0VWrWiqzLgK5_LICHQMS01_wDdxODHWhkAGCJr5Q4xU0Jxky-wwNvVV0Aox0a273fbnhE?purpose=fullsize

User authenticates via Kerberos

Service receives user ticket

Service is allowed to delegate

Service requests additional tickets

Misconfiguration enables unintended access

In these scenarios, attackers may:

  • Leverage delegated tickets
  • Impersonate users across services
  • Access backend systems not originally intended

Why This Happens in Enterprise Environments

1. Continued Use of Unconstrained Delegation

Legacy systems and older configurations still rely on unconstrained delegation, allowing services to store and reuse user tickets, increasing exposure.

2. Complexity in Multi-Tier Architectures

Modern enterprise applications often involve chained services:

Web → Application → Database → External services

Delegation is required for these interactions, but:

  • Permissions are often broader than necessary
  • Trust relationships become difficult to reason about

3. Misconfiguration of Resource-Based Delegation

RBCD introduces flexibility but shifts control to resource owners. Without strict controls:

  • Delegation relationships can be unintentionally expanded
  • Access paths become difficult to audit

4. Limited Visibility into Delegation Paths

Delegation is not always clearly observable:

  • Ticket flows are transient
  • Logging is limited by default
  • Administrators may not fully understand effective trust relationships

Enterprise Impact

Kerberos delegation issues can lead to:

  • Lateral movement across systems
  • Privilege escalation within directory services
  • Unauthorized access to backend resources
  • Abuse of trusted service accounts

Because Kerberos tickets are valid and signed, these actions often appear as legitimate authenticated activity.

Detection Strategies

  • Identify accounts configured for delegation
  • Monitor unusual service ticket requests
  • Audit changes to delegation-related attributes
  • Analyze authentication patterns across services

Effective detection requires visibility into identity flows, not just authentication failures.

Mitigation and Hardening

  • Eliminate unconstrained delegation wherever possible
  • Restrict constrained delegation to minimal required services
  • Carefully control and audit RBCD configurations
  • Mark sensitive accounts as non-delegable
  • Enable detailed Kerberos logging and monitoring

Architect’s Perspective

Kerberos delegation is fundamentally a trust extension mechanism, and in many environments, that trust is broader than intended.

The challenge is not just misconfiguration—it is implicit trust accumulation over time.

Enterprise identity systems evolve organically, leading to:

  • Overlapping delegation paths
  • Excessive permissions
  • Poor visibility into effective access

A more resilient approach requires:

Explicitly defined trust boundaries instead of implicit delegation chains

This includes:

  • Minimizing delegation usage
  • Clearly mapping service-to-service trust
  • Continuously validating identity relationships

As identity becomes the central security boundary, delegation must be treated as a high-risk architectural decision, not a default configuration.

Key Takeaways

  • Kerberos delegation expands trust beyond initial authentication
  • Misconfigurations can enable lateral movement and privilege escalation
  • Unconstrained delegation remains a significant risk
  • Visibility into delegation paths is critical for detection
  • Secure design requires minimizing and tightly controlling delegation

References

  • Microsoft Kerberos documentation
  • Active Directory configuration guidance
  • National Vulnerability Database related advisories

Author

Ankur Kumar is a systems architect with deep expertise in cybersecurity, Windows internals, and protocol-level system design. His work focuses on secure remote access, browser-based protocol clients (RDP/SMB/SSH), and the mechanics of authentication systems including NTLM and Kerberos. He specializes in analyzing how low-level protocol behavior impacts real-world enterprise security.