# Kerberos Delegation

<figure><img src="https://3740919960-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F4Am0a4hPyOcUCfhPUAm9%2Fuploads%2FGpmnHb9DXzQOKjhqI2Is%2Fimage.png?alt=media&#x26;token=422818c7-3a6b-4acb-9e76-9499c644e951" alt=""><figcaption></figcaption></figure>

Let's assume that there is an end user in a Domain. There is a database server in some other DMZ. The user can access the database through a web server.&#x20;

Here, the user authenticates to the web server and the web server makes the requests to the database server.&#x20;

The web server impersonates the user. This means, the service account for web server is a trusted delegation to be able to make requests as the user.&#x20;

In the 6th step where the web server uses the user's TGS to decrypt the user's TGT inside it, to request a TGS for the database server.

This means, if the web server is compromised, any one can get the TGT of users connecting to the database.