Kerberos Constrained Delegation Support

This chapter discusses the Traffic Manager’s support for Kerberos Constrained Delegation.

The Kerberos Protocol

The Kerberos protocol allows entities (known as “principals”) to authenticate with each other through the commonly understood and trusted Key Distribution Center (KDC) service. The KDC for a realm authenticates principals associated with that realm by verifying credentials provided by the principal. It can subsequently generate tickets that the principals operating in a realm can exchange in order to establish authenticated peer-to-peer exchanges of information. A ticket issued for a user to a principal by the KDC contains identity data for the user encrypted using a secret shared only by the principal and the KDC.

Microsoft® implementations of the Kerberos protocol refer to the realm as a “domain”, and to the KDC service as the “domain controller”.