Kerberos Unconstrained Delegation
¿Qué es Kerberos Unconstrained Delegation?
Kerberos Unconstrained DelegationAn Active Directory configuration that lets a service receive and store TGTs for any authenticating user, allowing it to impersonate them to any other service — a high-impact misconfiguration repeatedly abused for credential theft and domain compromise.
Unconstrained delegation is the original Kerberos delegation mode in Active Directory. A computer or service account marked 'Trust this computer for delegation to any service' (the TRUSTED_FOR_DELEGATION user-account-control flag) receives the user's TGT inside the Kerberos service ticket as part of the standard double-hop sign-in. The service can then use that TGT to request service tickets for the user to any other service in the forest — there is no scoping. Attackers love this for two reasons. First, any user (including high-privilege accounts and even Domain Admins) who interacts with a compromised unconstrained-delegation host effectively donates their TGT to the attacker. Second, the 'Print Spooler bug' (and similar coerced-auth tricks like PetitPotam) can force domain controllers to authenticate to such a host, yielding the DC's TGT. Mitigations are categorical: never enable unconstrained delegation on new servers, migrate existing usage to constrained or resource-based constrained delegation, mark sensitive accounts as 'Account is sensitive and cannot be delegated', deploy Protected Users group membership for high-privilege users, and audit `userAccountControl` for the `TRUSTED_FOR_DELEGATION` flag.
● Ejemplos
- 01
A red-team coerces a Domain Controller to authenticate to a compromised IIS server with unconstrained delegation, harvests the DC's TGT, and proceeds to a DCSync attack.
- 02
A blue-team sweep removes the TRUSTED_FOR_DELEGATION flag from all member servers and migrates a small set of legacy SQL servers to resource-based constrained delegation.
● Preguntas frecuentes
¿Qué es Kerberos Unconstrained Delegation?
An Active Directory configuration that lets a service receive and store TGTs for any authenticating user, allowing it to impersonate them to any other service — a high-impact misconfiguration repeatedly abused for credential theft and domain compromise. Pertenece a la categoría de Identidad y acceso en ciberseguridad.
¿Qué significa Kerberos Unconstrained Delegation?
An Active Directory configuration that lets a service receive and store TGTs for any authenticating user, allowing it to impersonate them to any other service — a high-impact misconfiguration repeatedly abused for credential theft and domain compromise.
¿Cómo funciona Kerberos Unconstrained Delegation?
Unconstrained delegation is the original Kerberos delegation mode in Active Directory. A computer or service account marked 'Trust this computer for delegation to any service' (the TRUSTED_FOR_DELEGATION user-account-control flag) receives the user's TGT inside the Kerberos service ticket as part of the standard double-hop sign-in. The service can then use that TGT to request service tickets for the user to any other service in the forest — there is no scoping. Attackers love this for two reasons. First, any user (including high-privilege accounts and even Domain Admins) who interacts with a compromised unconstrained-delegation host effectively donates their TGT to the attacker. Second, the 'Print Spooler bug' (and similar coerced-auth tricks like PetitPotam) can force domain controllers to authenticate to such a host, yielding the DC's TGT. Mitigations are categorical: never enable unconstrained delegation on new servers, migrate existing usage to constrained or resource-based constrained delegation, mark sensitive accounts as 'Account is sensitive and cannot be delegated', deploy Protected Users group membership for high-privilege users, and audit `userAccountControl` for the `TRUSTED_FOR_DELEGATION` flag.
¿Cómo defenderse de Kerberos Unconstrained Delegation?
Las defensas contra Kerberos Unconstrained Delegation combinan habitualmente controles técnicos y prácticas operativas, como se detalla en la definición.
¿Cuáles son otros nombres para Kerberos Unconstrained Delegation?
Nombres alternativos comunes: UD, Trust for delegation to any service.
● Términos relacionados
- identity-access№ 652
Kerberos
Protocolo de autenticación de red basado en tickets que utiliza criptografía simétrica y un Centro de Distribución de Claves de confianza para ofrecer inicio de sesión único seguro.
- identity-access№ 014
Active Directory
Servicio de directorio empresarial de Microsoft para redes Windows que ofrece autenticación, autorización y gestión de políticas centralizadas para usuarios, equipos y recursos.
- identity-access№ 653
Kerberos Constrained Delegation
An Active Directory delegation mode that allows a service to impersonate users only to a specified set of target services — safer than unconstrained delegation, but still abused via S4U2Self / S4U2Proxy attacks when misconfigured.
- attacks№ 651
Kerberoasting
Ataque offline de contrasenas que solicita tickets de servicio Kerberos a cuentas de servicio y rompe la parte cifrada para recuperar la contrasena en claro.
- attacks№ 886
Pass-the-Ticket
Ataque sobre Active Directory que reutiliza un ticket Kerberos robado para suplantar a un usuario o servicio sin conocer la contrasena.
- attacks№ 836
Ataque de NTLM Relay
Ataque adversario en medio (MITRE T1557.001) en el que el atacante reenvia la autenticacion NTLM de una victima a otro servicio para suplantarla sin conocer la contrasena.