Kerberos Double Hop

Kerberos Double Hop is a term used to describe a method of maintaining the client's Kerberos authentication credentials over two or more connections. In this fashion we can retain the user’s credentials and act on behalf of the user in further connections to other servers. Please make sure you read the previous Kerberos for the busy […]

Kerberos Double Hop is a term used to describe a method of maintaining the client's Kerberos authentication credentials over two or more connections. In this fashion we can retain the user’s credentials and act on behalf of the user in further connections to other servers.

Please make sure you read the previous Kerberos for the busy admin post as I will reference terms used in that blog frequently.

The Kerberos TGT is the user’s identity. When we pass this ticket along with the service ticket we can re-use the KrbTGT to request other service tickets to speak with our service resources on our network.

There are requirements for a service to be able to perform Kerberos double hop. The service account needs to be trusted for delegation. Meaning it must be trusted to act upon another user’s behalf. Source and target servers must be in the same forest or there must be a forest level trust between forests and the first level service account must be in the trusted forest root.

How it Works:

Step 1 - Client provides credentials and domain controller returns a Kerberos TGT to the client.
Step 2 - Client uses TGT to request a service ticket to connect to Server 1.
Step 3 - Client connects to Server 1 and provides both TGT and service ticket.
Step 4 - Server 1 uses the clients TGT to request a service ticket so Server 1 can connect to Server 2 .
Step 5 - Server 1 connects to Server 2 using the client’s credentials.

Full Article

Guides:

References:

About The Author

Deepak Gupta is a IT & Web Consultant. He is the founder and CEO of diTii.com & DIT Technologies, where he's engaged in providing Technology Consultancy, Design and Development of Desktop, Web and Mobile applications using various tools and softwares. Sign-up for the Email for daily updates. Google+ Profile.