diff --git a/windows-hardening/active-directory-methodology/constrained-delegation.md b/windows-hardening/active-directory-methodology/constrained-delegation.md
index f1a56fbd..be4400fd 100644
--- a/windows-hardening/active-directory-methodology/constrained-delegation.md
+++ b/windows-hardening/active-directory-methodology/constrained-delegation.md
@@ -27,7 +27,7 @@ Using this a Domain admin can **allow** a computer to **impersonate a user or co
 
 This means that if you **compromise the hash of the service** you can **impersonate users** and obtain **access** on their behalf to the **service configured** (possible **privesc**).
 
-Moreover, you **won't only have access to the service that the user is able to impersonate, but also to any service** because the SPN is not being checked, only privileges. Therefore, if you have access to **CIFS service** you can also have access to **HOST service** using `/altservice` flag in Rubeus.
+Moreover, you **won't only have access to the service that the user is able to impersonate, but also to any service** because the SPN (the service name requested) is not being checked, only privileges. Therefore, if you have access to **CIFS service** you can also have access to **HOST service** using `/altservice` flag in Rubeus.
 
 Also, **LDAP service access on DC**, is what is needed to exploit a **DCSync**.