Kerberos Unconstrained Delegation.

An Active Directory configuration that lets a service receive and store TGTs for any authenticating user, allowing it to impersonate them to any other service — a high-impact misconfiguration repeatedly abused for credential theft and domain compromise. サイバーセキュリティの ID とアクセス カテゴリに属します。

An Active Directory configuration that lets a service receive and store TGTs for any authenticating user, allowing it to impersonate them to any other service — a high-impact misconfiguration repeatedly abused for credential theft and domain compromise.

Unconstrained delegation is the original Kerberos delegation mode in Active Directory. A computer or service account marked 'Trust this computer for delegation to any service' (the TRUSTED_FOR_DELEGATION user-account-control flag) receives the user's TGT inside the Kerberos service ticket as part of the standard double-hop sign-in. The service can then use that TGT to request service tickets for the user to any other service in the forest — there is no scoping. Attackers love this for two reasons. First, any user (including high-privilege accounts and even Domain Admins) who interacts with a compromised unconstrained-delegation host effectively donates their TGT to the attacker. Second, the 'Print Spooler bug' (and similar coerced-auth tricks like PetitPotam) can force domain controllers to authenticate to such a host, yielding the DC's TGT. Mitigations are categorical: never enable unconstrained delegation on new servers, migrate existing usage to constrained or resource-based constrained delegation, mark sensitive accounts as 'Account is sensitive and cannot be delegated', deploy Protected Users group membership for high-privilege users, and audit `userAccountControl` for the `TRUSTED_FOR_DELEGATION` flag.

Kerberos Unconstrained Delegation に対する防御は通常、上記の定義で述べたとおり、技術的統制と運用上の実践を組み合わせます。

一般的な別名: UD, Trust for delegation to any service。