Kerberos Double Hop

Kerberos Double Hop is a term used to describe a method of maintaining the client's Kerberos authentication credentials over two or more connections. In this fashion we can retain the user’s credentials and act on behalf of the user in further connections to other servers.

Please make sure you read the previous Kerberos for the busy admin post as I will reference terms used in that blog frequently.

The Kerberos TGT is the user’s identity. When we pass this ticket along with the service ticket we can re-use the KrbTGT to request other service tickets to speak with our service resources on our network.

There are requirements for a service to be able to perform Kerberos double hop. The service account needs to be trusted for delegation. Meaning it must be trusted to act upon another user’s behalf. Source and target servers must be in the same forest or there must be a forest level trust between forests and the first level service account must be in the trusted forest root.

How it Works:

Step 1 - Client provides credentials and domain controller returns a Kerberos TGT to the client.
Step 2 - Client uses TGT to request a service ticket to connect to Server 1.
Step 3 - Client connects to Server 1 and provides both TGT and service ticket.
Step 4 - Server 1 uses the clients TGT to request a service ticket so Server 1 can connect to Server 2 .
Step 5 - Server 1 connects to Server 2 using the client’s credentials.

Full Article