Service for User (S4U) is a pair of Kerberos protocol extensions that makes constrained delegation possible. In other words, these two Kerberos extensions enable a configured service (i.e. permitted for constrained delegation) to obtain a TGS (to explicitly allowed services only) on behalf of another client using the service account’s TGT. The service account can perform the delegation without the client’s request/approval.
S4U consists of two extensions:
- S4U2Self: A request that lets a configured service account obtain a TGS to its own service on behalf of a client user.
- Requires the service account’s TGT
- This is mainly useful when a client has authenticated to a service using a non-Kerberos protocol, and the service needs to access the user’s Kerberos-related information (e.g. perform authorization check, or use S4U2Proxy). In other words, S4U2Self marks a “protocol transition.”
- S4U2Proxy: A request that lets a configured service account obtain a TGS to another service on the behalf of the user.
- Requires a TGS to the service permitted for delegation. The TGS can be obtained from S4U2Self, though other means are allowed.
- The service can perform delegation without the client’s knowledge or request.
- In this use case, the second service is seen as a “proxy” service. In other words, the second service acts on behalf of the first service.