SeEnableDelegationPrivilege
in the domain) whereas with RBCD, these attributes are set on the target service account itself (requires lower privileges).PA-PAC-OPTIONS
structure must contains a padata value with the resource-based constrained delegation bit set (nota bene 1: this only applies if the resource-based constrained delegation (RBCD) is actually possible and authorized in the proper AD objects attributes) (nota bene 2: Rubeus and Impacket's getST set that bit when doing S4U2proxy).-user
filter to list delegations for a specific account.TrustedForDelegation
TrustedToAuthForDelegation
AllowedToDelegateTo
PrincipalsAllowedToDelegateToAccount
(i.e. refers to the msDS-AllowedToActOnBehalfOfOtherIdentity
attribute)