Creating a lab for practicing Constrained Kerberos Delegation is very easy.
Open > Active Directory User and components
First you have to create a new user in your Domain , you can use the existing one . for now im using my existing user
- Click on UserAccount (Frank Castle) > Properties
- Go on Attribute Editor Tab and Select
servicePrincpleNameand then > Click on Edit
To allow the user to do kerberos delegation, it has to have an SPN first. We are going to add a dummy one:
- Add Value >
- CLick on Apply and then Ok
Now Go on Delegation Tab > Select
Trust user for delegation to specified services onlyand under that > Select
Use any authentication protocol
Click on Add
Users or Computers
- Then you have to add the Computer name which provide
cifs ldaptypes services that is
Domain Controller> Click on OK
- Now Select Services
- Click On Add > Apply > Ok
Your delegation tab should be look like this now
Don’t forget to set
Trust this user for delegation to specified services only and then
Use any authentication protocol also make sure the services are as following, you can now go try the attack!
⇒ Now Your lab is ready for Kerberos Constrained Delegation Abuse.