Unconstrained Delegation Turns One Box Into Domain Admin
Ticking 'Trust this computer for delegation to any service' caches every visiting Domain Admin TGT in LSASS on that server. Local admin compromise plus Mimikatz ticket dumping, or PetitPotam-coerced DC authentication, hands the attacker full DCSync capability from one forgotten checkbox.
At a glance
- Unsafe setting
- TRUSTED_FOR_DELEGATION flag set on non-DC member server or service account
- Failure trigger
- Local admin compromise dumps cached TGTs, or PetitPotam coerces DC authentication to the server
- Blast radius
- Full domain compromise via DCSync, originating from a single unconstrained-delegation server object
- Recommended control
- Remove flag; use constrained or resource-based delegation; place Tier 0 accounts in Protected Users with NOT_DELEGATED set
Fix commands and configuration
Get-ADComputer -Filter {TrustedForDelegation -eq $true} -Properties TrustedForDelegation,servicePrincipalNameSet-ADAccountControl -Identity SERVER01$ -TrustedForDelegation $falseThe Trap
Unconstrained Kerberos delegation set on a non-DC member server object. In Active Directory terms, this is the userAccountControl flag TRUSTED_FOR_DELEGATION (0x80000) applied to a computer or service account that has no business holding domain-wide delegation trust.
The Default State
An administrator ticks "Trust this computer for delegation to any service (Kerberos only)" in Active Directory Users and Computers to fix a double-hop authentication failure — typically on an IIS front-end, a SQL Server service account, or a file server fronting a legacy line-of-business app. Vendor install guides for older SharePoint farms and SCCM management points still recommend this exact checkbox rather than scoped delegation, because it silently resolves the Kerberos hop error without anyone reading what TrustedForDelegation actually grants. The setting persists for years because nobody revisits it once the ticket is closed.
The Blast Radius
Any TGT presented to that server is cached in full inside LSASS memory, not just a service ticket. If an attacker gains local administrator or SYSTEM on the box — via an unpatched web app, a coerced service, or a stolen local account — they can dump every cached TGT with sekurlsa::tickets in Mimikatz or Rubeus dump, including the ticket of any Domain Admin who RDP'd in for a routine task. Pair this with PrinterBug (MS-RPRN) or PetitPotam to coerce a domain controller into authenticating to the compromised server, and the attacker captures the DC's own machine account TGT. From there it's DCSync and full domain compromise, all originating from one forgotten checkbox on a file server nobody classified as Tier 0.
The Lead Mechanic Fix
Audit first: Get-ADComputer -Filter {TrustedForDelegation -eq $true} -Properties TrustedForDelegation,servicePrincipalName and the equivalent Get-ADUser query for service accounts. Strip the flag with Set-ADAccountControl -Identity SERVER01$ -TrustedForDelegation $false. Replace the requirement with constrained delegation via msDS-AllowedToDelegateTo listing explicit target SPNs, or migrate to Resource-Based Constrained Delegation by setting msDS-AllowedToActOnBehalfOfOtherIdentity on the resource itself, removing the need for domain-wide trust on the front-end. Place all Tier 0 accounts in the Protected Users group and set the NOT_DELEGATED bit ("Account is sensitive and cannot be delegated") so no server configuration can capture their tickets regardless of drift. Feed continuous BloodHound or PingCastle scans against TrustedForDelegation objects into your SIEM, alerting on Event ID 4672 privileged logons landing on flagged hosts.