Resource Based Constrained Delegation (RBCD)

Similar to Constrained Delegation but instead of giving permissions to an object to impersonate any user against a service. RBCD sets in the object who is able to impersonate any user against it.

Resource-based Constrained Delegation (RBCD)

RBCD is different from the classic constrained delegation. There are two major differences.

Delegation authority has changed from domain admin to resource owner.
The delegation is configured on the service than the web server. So the attribute of the service controls who can delegate to it.

In most cases, we have to configure RBCD on the target and then abuse it.

To abuse RBCD in the most effective form, we just need two privileges.

Write permissions over the target service or object to configure msDSAllowedToActOnBehalfOfOtherIdentity.
Control over an object which has SPN configured (like admin access to a domain joined machine or ability to join a machine to domain - ms-DSMachineAccountQuota is 10 for all domain users)

PreviousCRTP Lab 16 NextCRTP Lab 17

Last updated 2 months ago