cifs/target.domain.local
SPN, the service class is cifs
).msDS-AllowedToActOnBehalfOfOtherIdentity
attribute needs to be appended with an account controlled by the attacker. This second account (called serviceB) needs to have at least one SPN.msDS-AllowedToActOnBehalfOfOtherIdentity
). If the account configured with KCD without protocol transition is a computer, controlling another account to operate the RBCD approach is not needed. In this case, serviceB = serviceA, the computer account can be configured for a "self-rbcd".