Kerberos Constrained Delegation
SMA supports Kerberos Constrained Delegation (KCD). Kerberos Constrained Delegation (KCD) provides
authentication support using an existing Kerberos infrastructure, which does not need to trust front-end
services to delegate a service.
With Kerberos Constrained Delegation (KCD), users who are authenticated using non-Kerberos methods, such as
Certificate, Smart Card, or RADIUS, can gain access to Kerberos protected resources without having to enter any
additional credentials. For example, a user that authenticates using Single Sign-On (SSO), rather than Kerberos,
is allowed access to Kerberos protected web resources.
Most Single Sign-On (SSO) methods rely on the conventional username/password credentials. However, these
credentials do not work with Certificate, Smart Card, or RADIUS authentication. With Kerberos Constrained
Delegation (KCD), the administrator configures the usernames and passwords for Kerberos Constraine Delegation (KCD).
Microsoft’s Kerberos v5 extension is called Services for Users (S4U) and is compromised of two parts:
S4U2Self allows a service to obtain a service ticket to itself on behalf of a client and is usually used with a client
certificate. S4U2Self is the Kerberos Protocol Transition extension.
S4U2Proxy allows a service to obtain a service ticket to an arbitrary service on behalf of a user with only the
user's service ticket. The services are constrained by the administrator. S4U2Proxy is the Kerberos Constrained
Delegation (KCD) extension.
Was This Article Helpful?
Help us to improve our support portal