Kerberos Protocol Transition and Constrained Delegation

Where clients have direct access to the KDC for the realm their principal is a part of, Kerberos authentication between "Kerberized" applications operates normally. However, where direct access to the KDC is not possible, a user cannot always access services that require the exchange of Kerberos tickets for authentication. For example, a laptop computer solely connected to the public Internet might not have direct access to the laptop user's KDC due to firewall rules. To address this, two extensions to the Kerberos protocol are available: Protocol Transition and Constrained Delegation.

Protocol Transition

This mechanism allows a suitably privileged Kerberos service to obtain a ticket to itself for an arbitrary user principal in a given realm. The KDC expects the service to perform authentication through some other means to confirm the identity of a user before then establishing a ticket for the user in the Kerberos protocol. In other words, the service provides a transition from one authentication protocol to Kerberos.

Constrained Delegation

Since the service providing the protocol transition should have already satisfied itself that the user is who they claim to be, having a ticket for an arbitrary user principal to itself is of limited use. Through constrained delegation, the service can delegate the ticket for itself to another service, meaning that this ticket can be forwarded on by the service (with a request associated with the original user) to a further Kerberized service. This new service then processes the request in the context of the original user.

Arbitrarily being able to impersonate any user in a realm could be considered too much power for a service, but the "constrained" aspect of the feature allows the KDC to impose a restriction on which service the ticket might be delegated to.