Kerberos Delegation question

  • Last Post 30 September 2018
Mahdi posted this 26 September 2018

Greetings experts!

I have been reading about "Kerberos Delegation" for about 3 hours now. It is quite simple concept but there are so many things that I have no answer for them at the moment. 

Consider a WEB1 and DB1 as front-end and back-end servers. Also there is CL1 which acts as client. The scenario is really simple. client open website which is located at WEB1, select a report, hit "Generate Report" button, the report will be fetched from DB1 and will be sent to WEB1 and client will see that report in his browser at CL1. That is the whole scenario. So here are the questions:

  • Why DB1 is even in need of user credential or TGT based on the concepts of Kerberos Delegation? Can WEB1 not simply presents its own TGT to DB1 and fetch the result that the user need, then present the result to the user? Not even a single touch on user credentials or his TGT or TGS , ...


  • Of cource there will be service accounts on DB1 to fetch the results. We call this service account as SVC1. Considering this, WEB1 will ask DB1: "Hey DB1 ! I know SVC1 is over there and have access. Can you tell him to create this X report for me?". The report is prepared and sent back to WEB1 and it presents in browser and says: "There you go CL1. Here is the report you wanted". Considering this example. Why WEB1 should ask tickets on behalf of CL1? Why the bloody hell why ???


  • This question is simple. I do not understand the role of 'Kerberos Delegation' here.. :D


Thanks for everybody!

Order By: Standard | Newest | Votes
staveled posted this 26 September 2018

 Q. If the web server retrieves the report from the database server using its own credentials – how is the web server to know that the end user is entitled to see the content? ( the entitlement is known only to the database server ) Q. If the database server is reporting only to the web server how does the web server provide the database server with the assurance that the report is only being sent on to the appropriate recipients? ( only the web server knows what it’s done with the report ) 


ken posted this 26 September 2018

Dale’s already provided a succinct answer to the question.


In more general terms, there are two main models you can use in your two-tier architecture:

  1. Where the web tier makes all the decisions (think of it as both a decision point, and an enforcement point), then you are using a “Trusted

    subsystem” model. The webserver needs to have all the logic necessary to evaluate whether the requesting client is authorised to view the data requested. The back-end database has ACLs that allow the web-tier to access all applicable data, and there are no

    separate checks to ensure that the end user is entitled to access the data requested.

  2. Where the web tier may, or may not, make checks on what the client is allowed to request. Some of those checks may be delegated (or independently

    enforced) in the database tier. This is where Kerberos delegation comes into play. The end user’s credentials are sent to the database tier for independent evaluation against the ACL on the data.


Generally, in high performance situations you want to use (a). But in more complex, distributed systems, you want to use a model like (b), because the backend tier may not trust the front end tiers

to make all the necessary decisions (e.g. coarse grained vs. fine grained authorizations). In these scenarios though, you may not be passing around Kerberos tickets, but rather JWTs and SAML assertions.






kool posted this 26 September 2018

As the other replies have pointed out, you use delegation when you want the data access decisions to be made at the data source.


This topic is so confusing I wrote a blog post on it which may be helpful.


Good luck!





Mahdi posted this 27 September 2018

Thanks for the replies. Very informative indeed. However I am still not confident that I understood completely. So I may have some other questions. I may look like silly by asking these questions but go ahead, call me that.. Kill me but make me understand :)

@staveled: So DB1 will need to know if the user is entitled to see the contents or not. Ok, that is fair enough. But why WEB1 should talk on behalf if the user? The user has a valid TGT, so he can ask for a TGS and once he got the TGS, he goes to DB1, ACL check and bla bla bla. As long as the user has a valid TGT, he will not need to re-enter the credentials. so we can say the user could simply go directly to DB1. Isn't that true?

@ken: Exactlly..Since we are not dealing with a 'Trusted Subsystem', Kerberos Delegation will comes into play. So the DB1 should know if the user has access or not. Ok can you please clarify these questions:

  • In this case, you are saying that we have two level of ACLs, one at WEB1, one at DB1, is that true?
  • In this exmple, DB1 will need to verify the user identity. Can this identity not be verified when the user talk directly with DB1 with his own TGT? What is the reason that we have to allow WEB1 to talk to DB1 one behalf of user? Is this because the user has not netwok access to DB1? is it because the user do not go to KDC to request for a TGS? what benefits does it have Kerberos Delegation?

@Kool Thanks for the lovely article! read through that. But still I have the same question as I mentioned above. I am still confused that what benefits Kerberos Delegation can provide? I can claim that the user can simply go to KDC, request a TGS for DB1. In that case DB1 not only can verify the authenticity of the user (because it is verified by KDC), but also DB1 is not relying on a third party system like WEB1. 


Thanks a lot for your contributions.

ken posted this 27 September 2018

IN a two tier system, the client talks to web tier (using a browser), and the web tier talks to the database tier. The client doesn’t have any connectivity, nor a client application, that can talk

to the DB directly. The DB tier returns the raw data results to the web tier, and the web tier then formats this data in to a suitable presentation for the client.




Icolan posted this 30 September 2018

As long as the user has a valid TGT, he will not need to re-enter the

credentials. so we can say the user could simply go directly to DB1.