Kerberos constrained delegation - Amazon Directory Service
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Kerberos constrained delegation

Kerberos constrained delegation is a feature in Windows Server. This feature gives service administrators the ability to specify and enforce application trust boundaries by limiting the scope where application services can act on a user’s behalf. This can be useful when you need to configure which front-end service accounts can delegate to their backend services. Kerberos constrained delegation also prevents your gMSA from connecting to any and all services on behalf of your Active Directory users, avoiding the potential for abuse by a rogue developer.

For example, let’s say user jsmith logs into an HR application. You want the SQL Server to apply jsmith’s database permissions. However, by default SQL Server opens the database connection using the service account credentials that apply hr-app-service’s permissions instead of jsmith’s configured permissions. You must make it possible for the HR payroll application to access the SQL Server database using the jsmith’s credentials. To do that, you enable Kerberos constrained delegation for the hr-app-service service account on your Amazon Managed Microsoft AD directory in Amazon. When jsmith logs on, Active Directory provides a Kerberos ticket that Windows automatically uses when jsmith attempts to access other services in the network. Kerberos delegation enables the hr-app-service account to reuse the jsmith Kerberos ticket when accessing the database, thus applying permissions specific to jsmith when opening the database connection.

To grant permissions that allow users in Amazon Managed Microsoft AD to configure Kerberos constrained delegation, you must add their accounts as a member of the Amazon Delegated Kerberos Delegation Administrators security group. By default, the Admin account is a member of this group. For more information about Kerberos constrained delegation, see Kerberos Constrained Delegation Overview on the Microsoft TechNet website.

Resource-based constrained delegation was introduced with Windows Server 2012. It provides the back-end service administrator the ability to configure constrained delegation for the service.