spot
is allowed to delegate or in other words, impersonate any user and authenticate to a file system service (CIFS) on a domain controller DC01. TRUSTED_TO_AUTH_FOR_DELEGATION
in order for it to be able to authenticate to the remote service.TRUSTED_TO_AUTH_FOR_DELEGATION - (Windows 2000/Windows Server 2003) The account is enabled for delegation. This is a security-sensitive setting. Accounts that have this option enabled should be tightly controlled. This setting lets a service that runs under the account assume a client's identity and authenticate as that user to other remote servers on the network.
msds-allowedtodelegateto
identifies the SPNs of services the user spot
is trusted to delegate to (impersonate other domain users) and authenticate to - in this case, it's saying that the user spot is allowed to authenticate to CIFS service on DC01 on behalf of any other domain user:msds-allowedtodelegate
attribute in AD is defined here:TRUSTED_TO_AUTH_FOR_DELEGATION
attribute in AD is defined here:spot
who has the constrained delegation set as described earlier. Let's check that currently we cannot access the file system of the DC01 before we impersonate a domain admin user:[email protected]
, who will be allowed to authenticate to CIFS/dc01.offense.local
:/altservice
switch for: HTTP (WinRM), LDAP (DCSync), HOST (PsExec shell), MSSQLSvc (DB admin rights).