Kerberos Unconstrained Delegation.

An Active Directory configuration that lets a service receive and store TGTs for any authenticating user, allowing it to impersonate them to any other service — a high-impact misconfiguration repeatedly abused for credential theft and domain compromise. 它属于网络安全的 身份与访问 分类。

An Active Directory configuration that lets a service receive and store TGTs for any authenticating user, allowing it to impersonate them to any other service — a high-impact misconfiguration repeatedly abused for credential theft and domain compromise.

Unconstrained delegation is the original Kerberos delegation mode in Active Directory. A computer or service account marked 'Trust this computer for delegation to any service' (the TRUSTED_FOR_DELEGATION user-account-control flag) receives the user's TGT inside the Kerberos service ticket as part of the standard double-hop sign-in. The service can then use that TGT to request service tickets for the user to any other service in the forest — there is no scoping. Attackers love this for two reasons. First, any user (including high-privilege accounts and even Domain Admins) who interacts with a compromised unconstrained-delegation host effectively donates their TGT to the attacker. Second, the 'Print Spooler bug' (and similar coerced-auth tricks like PetitPotam) can force domain controllers to authenticate to such a host, yielding the DC's TGT. Mitigations are categorical: never enable unconstrained delegation on new servers, migrate existing usage to constrained or resource-based constrained delegation, mark sensitive accounts as 'Account is sensitive and cannot be delegated', deploy Protected Users group membership for high-privilege users, and audit `userAccountControl` for the `TRUSTED_FOR_DELEGATION` flag.

针对 Kerberos Unconstrained Delegation 的防御通常结合技术控制与运营实践,详见上方完整定义。

常见的别称包括: UD, Trust for delegation to any service。