Kerberos Constrained Delegation, Double-Hops and Protocol Transition

Reading Time: < 1 minute

Have been struggling with an issue where "Constrained Delegation" is enabled for an application and it is doing multiple "Hops" from the application and eventually making it to a SQL Server.  During the hops, an SPN is correctly presenting the Users TGT Hash as requested but then for some reason the TGT hash changes from an SPN to just a the HOST name of a member server (This was all observed through WireShark).  The internal code was reviewed and the same service calls were utilized when the correct Constrained calls were made and then when the call translated into an NTLM call(?).

Well it turns out we hadn't done anything wrong but when a multiple Hop Constrained Delegation configuration is used there is an issue where the User's TGT hash can transitioned to NTLM and the only way to continue to leverage Kerberos Constrained Delegation is to allow the SPN to allow it to "Use Any Authentication Protocol".

Basically an unrequested “Protocol Transition” occurs inflight transitioning from Kerberos to NTLM and the only way to get the intermediary hops to be able to use Kerberos Delegation through the process is to allow the intermediary services to request the authority to do a “Protocol Transition” back to Kerberos.

Kerberos Constrained Delegation May Require Protocol Transition in Multi-hop Scenarios