Sign Up for Training |
insightsoftware Company Site
Submit a Request
Become a Jet Insider
Give Feedback

Kerberos "Double Hop" and "Delegation"


When Kerberos authentication requires a "Double Hop" of credentials, Delegation must be configured on the network.



Kerberos is a network authentication protocol which allows computers on a network to communicate with each other in a secure manner.


Single Hop

Before we define "Double Hop", let's look at a simple example of "Single Hop".

When a user contacts a server on a network, that user provides their authentication information. 

 This is a one-step process and requires no special setup.


Double Hop

If, however, that network server must then access other servers on the network AND the user's credentials must be authenticated on those other servers... 

 This is a "Double Hop" situation.


Essentially, the network must be configured to give the various systems permission to reuse the user's credentials to access resources hosted on a different server than the original server that was contacted by the user.

The configuration that grants this permission is referred to as "Kerberos Delegation".

Available Resources

As every network is unique, it would not be possible for Jet Global to provide detailed instructions for setting up Kerberos Delegation in your environment.

To help you to understand and configure Kerberos Delegation, here are just a few Internet references:

Kerberos Delegation - MSDN

About Kerberos Constrained Delegation - MS TechNet

Kerberos Constrained Delegation Overview - MS Docs

How to Configure the Server to be Trusted for Delegation - MS TechNet


Was this article helpful?
0 out of 0 found this helpful