User Kerberos Configuration Reports

3 Reports
About User Kerberos Configuration Reports

User Kerberos Configuration Reports audit Kerberos delegation settings and Service Principal Names (SPNs) on user accounts. These reports are essential for identifying Kerberoasting attack surfaces, reviewing delegation configurations, and ensuring that only authorized accounts have delegation privileges.

SPN Auditing

Identify Kerberoasting targets

Delegation Review

Audit constrained delegation

Attack Surface

Reduce security exposure

Example: User Kerberos Configuration Reports in AD Reports

AD Reports User Kerberos Configuration Reports

Available Reports

Users with SPNs

User accounts with Service Principal Names set (Kerberoasting attack surface). Any user account with an SPN can have its service ticket requested by any authenticated domain user, making these accounts targets for offline password cracking.

Use Cases
  • Identify Kerberoasting attack surface across user accounts
  • Audit service accounts for strong password enforcement
  • Find candidates for migration to Group Managed Service Accounts (gMSA)
  • Compliance review for privileged service accounts
Key Information
  • Account name and enabled status
  • Service Principal Name (SPN) value
  • Password last set date and "never expires" flag
  • Last logon date
Security Risk: User accounts with SPNs are vulnerable to Kerberoasting attacks. Ensure these accounts have long, complex passwords or consider migrating to Group Managed Service Accounts (gMSAs).
Constrained Delegation

User accounts with constrained delegation configured (msDS-AllowedToDelegateTo). These accounts can impersonate users to specific services, which requires careful auditing to prevent privilege escalation.

Use Cases
  • Review accounts configured to impersonate users to specific backend services
  • Verify delegation is scoped to only required services (not unconstrained)
  • Audit multi-tier application service account configurations
Key Information
  • Account name and type (user vs. service account)
  • Allowed delegation targets (msDS-AllowedToDelegateTo)
  • Protocol transition enabled (TrustedToAuthForDelegation)
  • Account enabled status
Security Note: Constrained delegation with protocol transition (S4U2Self) allows an account to impersonate ANY user to the delegated services — even without the user's Kerberos ticket. Audit this permission carefully.
Resource-Based Constrained Delegation

User accounts with Resource-Based Constrained Delegation (msDS-AllowedToActOnBehalfOfOtherIdentity). RBCD allows the target resource to control which accounts can delegate to it, providing a more flexible delegation model.

Use Cases
  • Audit RBCD model where the resource controls delegation (not the user account)
  • Detect potential RBCD-based privilege escalation paths
  • Review msDS-AllowedToActOnBehalfOfOtherIdentity assignments
Key Information
  • Account with RBCD configured
  • Accounts allowed to act on its behalf
  • Account type and enabled status
Critical: RBCD misconfigurations are a well-known attack path for privilege escalation. Any account with Write access to a resource's msDS-AllowedToActOnBehalfOfOtherIdentity can potentially compromise it.
Related Reports
Computer Kerberos Configuration Kerberos delegation for computer accounts
Account Status Reports Delegation and security account flags
See These Reports in Action

Try AD Reports free for 14 days — run any of these reports on your own Active Directory.

Download Free Trial View All Features
Back to Report Library Back to Top