Skip to main content
cd ../config-traps
risk/register/unconstrained-delegation-turns-one-box-into-domain-admin.html
Active Directory Kerberos Delegationcritical severityActive Directory

Unconstrained Delegation Turns One Box Into Domain Admin

Overview

Ticking 'Trust this computer for delegation to any service' caches every visiting Domain Admin TGT in LSASS on that server. Local admin compromise plus Mimikatz ticket dumping, or PetitPotam-coerced DC authentication, hands the attacker full DCSync capability from one forgotten checkbox.

At a glance

Unsafe setting
TRUSTED_FOR_DELEGATION flag set on non-DC member server or service account
Failure trigger
Local admin compromise dumps cached TGTs, or PetitPotam coerces DC authentication to the server
Blast radius
Full domain compromise via DCSync, originating from a single unconstrained-delegation server object
Recommended control
Remove flag; use constrained or resource-based delegation; place Tier 0 accounts in Protected Users with NOT_DELEGATED set

Fix commands and configuration

Get-ADComputer -Filter {TrustedForDelegation -eq $true} -Properties TrustedForDelegation,servicePrincipalName
Set-ADAccountControl -Identity SERVER01$ -TrustedForDelegation $false

The Trap

Unconstrained Kerberos delegation set on a non-DC member server object. In Active Directory terms, this is the userAccountControl flag TRUSTED_FOR_DELEGATION (0x80000) applied to a computer or service account that has no business holding domain-wide delegation trust.

The Default State

An administrator ticks "Trust this computer for delegation to any service (Kerberos only)" in Active Directory Users and Computers to fix a double-hop authentication failure — typically on an IIS front-end, a SQL Server service account, or a file server fronting a legacy line-of-business app. Vendor install guides for older SharePoint farms and SCCM management points still recommend this exact checkbox rather than scoped delegation, because it silently resolves the Kerberos hop error without anyone reading what TrustedForDelegation actually grants. The setting persists for years because nobody revisits it once the ticket is closed.

The Blast Radius

Any TGT presented to that server is cached in full inside LSASS memory, not just a service ticket. If an attacker gains local administrator or SYSTEM on the box — via an unpatched web app, a coerced service, or a stolen local account — they can dump every cached TGT with sekurlsa::tickets in Mimikatz or Rubeus dump, including the ticket of any Domain Admin who RDP'd in for a routine task. Pair this with PrinterBug (MS-RPRN) or PetitPotam to coerce a domain controller into authenticating to the compromised server, and the attacker captures the DC's own machine account TGT. From there it's DCSync and full domain compromise, all originating from one forgotten checkbox on a file server nobody classified as Tier 0.

The Lead Mechanic Fix

Audit first: Get-ADComputer -Filter {TrustedForDelegation -eq $true} -Properties TrustedForDelegation,servicePrincipalName and the equivalent Get-ADUser query for service accounts. Strip the flag with Set-ADAccountControl -Identity SERVER01$ -TrustedForDelegation $false. Replace the requirement with constrained delegation via msDS-AllowedToDelegateTo listing explicit target SPNs, or migrate to Resource-Based Constrained Delegation by setting msDS-AllowedToActOnBehalfOfOtherIdentity on the resource itself, removing the need for domain-wide trust on the front-end. Place all Tier 0 accounts in the Protected Users group and set the NOT_DELEGATED bit ("Account is sensitive and cannot be delegated") so no server configuration can capture their tickets regardless of drift. Feed continuous BloodHound or PingCastle scans against TrustedForDelegation objects into your SIEM, alerting on Event ID 4672 privileged logons landing on flagged hosts.