diff --git a/freeipa.spec b/freeipa.spec
index d3101fb..40b5d3e 100644
--- a/freeipa.spec
+++ b/freeipa.spec
@@ -143,7 +143,7 @@
 
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        5%{?dist}
+Release:        6%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 License:        GPLv3+
@@ -156,6 +156,7 @@ Source1:        https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz.as
 Patch0:         4045.patch
 Patch1:         krb5-kdb-fixes.patch
 Patch2:         krb5-1.18-support.patch
+Patch3:         krb5-1.18-support-constraint-delegation.patch
 
 # For the timestamp trick in patch application
 BuildRequires:  diffstat
@@ -1362,6 +1363,10 @@ fi
 
 
 %changelog
+* Sat Feb 01 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.4-6
+- Fix constraint delegation for krb5 1.18 update
+- Resolves: #1797096
+
 * Tue Jan 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 4.8.4-5
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
 
diff --git a/krb5-1.18-support-constraint-delegation.patch b/krb5-1.18-support-constraint-delegation.patch
new file mode 100644
index 0000000..250529a
--- /dev/null
+++ b/krb5-1.18-support-constraint-delegation.patch
@@ -0,0 +1,61 @@
+From d92f21ae1b3051f96043c64320a768551de39d5a Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Fri, 31 Jan 2020 22:58:18 +0100
+Subject: [PATCH 1/2] Fix DAL v8 support
+
+Signed-off-by: Isaac Boukris <iboukris@gmail.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ daemons/ipa-kdb/ipa_kdb.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
+index 3982c131b..8f3c22070 100644
+--- a/daemons/ipa-kdb/ipa_kdb.c
++++ b/daemons/ipa-kdb/ipa_kdb.c
+@@ -720,8 +720,8 @@ stub_sign_authdata(krb5_context context, unsigned int flags,
+                    void *ad_info, krb5_data ***auth_indicators,
+                    krb5_authdata ***signed_auth_data)
+ {
+-    krb5_db_entry *krbtgt = header_server ? header_server : server;
+-    krb5_keyblock *krbtgt_key = header_key ? header_key : server_key;
++    krb5_db_entry *krbtgt = header_server ? header_server : local_tgt;
++    krb5_keyblock *krbtgt_key = header_key ? header_key : local_tgt_key;
+ 
+     return ipadb_sign_authdata(context, flags, client_princ, client, server,
+                                krbtgt, client_key, server_key, krbtgt_key,
+-- 
+2.24.1
+
+
+From c940f96b700d845afda014d41a0004068d379a9a Mon Sep 17 00:00:00 2001
+From: Isaac Boukris <iboukris@gmail.com>
+Date: Fri, 31 Jan 2020 23:03:09 +0100
+Subject: [PATCH 2/2] Fix legacy S4U2Proxy in DAL v8 support
+
+Signed-off-by: Isaac Boukris <iboukris@gmail.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ daemons/ipa-kdb/ipa_kdb.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
+index 8f3c22070..7bd30be85 100644
+--- a/daemons/ipa-kdb/ipa_kdb.c
++++ b/daemons/ipa-kdb/ipa_kdb.c
+@@ -723,6 +723,12 @@ stub_sign_authdata(krb5_context context, unsigned int flags,
+     krb5_db_entry *krbtgt = header_server ? header_server : local_tgt;
+     krb5_keyblock *krbtgt_key = header_key ? header_key : local_tgt_key;
+ 
++    if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
++        client = header_server;
++        krbtgt = local_tgt;
++        krbtgt_key = local_tgt_key;
++    }
++
+     return ipadb_sign_authdata(context, flags, client_princ, client, server,
+                                krbtgt, client_key, server_key, krbtgt_key,
+                                session_key, authtime, tgt_auth_data,
+-- 
+2.24.1
+