Kerberos (Un)Constrained Delegation

Kerberos (Un)Constrained Delegation

October 22, 2021 Active Directory AD Security 0

Microsoft implemented Kerberos “unconstrained delegation” in Windows 2000 that enables this level of delegation. Delegation is used when a service requires access to another service on a different computer.

Two types of the delegation levels can be used to allow a service to impersonate a user.
Kerberos Un-Constrained Delegation
Kerberos Constrained Delegation

A server that is trusted for unconstrained delegation is allowed to impersonate any user/service within the network. When a user requests a Service Ticket from a DC to a service, which is enabled for delegation, the DC will copy the client’s Ticket Granting Ticket (TGT) and attach it to the Service Ticket, which will later be presented to the service. When the user accesses the service with the Service Ticket, the user’s TGT will be extracted and saved in the server’s LSASS for later use. As a result, the service will be able to impersonate the user to any service within the network.

If a server trusted for unconstrained delegation is compromised, the attacker will have access to all of the TGTs of the users that used the service. Using the TGT ticket, an attacker can access all of the resources available in the network with the compromised user’s permissions.

For Unconstrained Delegation : TrustedForDelegation = True
For Constrained Delegation : TrustedToAuthForDelegation = True

PrimaryGroupID  515 – Domain Computers (Workstation & Servers – No Domain Controllers)
PrimaryGroupID  516 – Domain Controllers (writable) – Domain Controllers (All)
PrimaryGroupID 521 – Domain Controllers (Read-Only) -Domain Controllers (RODCs only)

Find out computers with unconstrained delegation is from Active Directory Domain.

Get-ADComputer -Filter {(TrustedForDelegation -eq $True) -and (PrimaryGroupID -eq 515)}  -Properties Name,TrustedForDelegation,TrustedToAuthForDelegation,ServicePrincipalName

How to Enable or Disable Constrained Delegation:

  • Open the Users and Computers (dsa.msc)
  • Open “Workstation/Server” properties
  • Go to delegation tab [If delegation missing then nothing to worry. Because no SPN set for the respective object]
  • Select “Trust this computer for delegation to specified services only” to enable.
  • Select “Do not trust this computer for delegation” to disable.
  • Select “Kerberos only” if you do not want to allow and Add only specific services which is required for the delegation.

It’s not recommended to use unconstrained. You can disable or limited to specific server/service to limit the risk.

Recommendation:

 

Enable “Account is sensitive and cannot be delegated”  for all the critical accounts.
Disable unconstrained delegation or limit the server/service.
Use strong passwords for service accounts trusted for delegation.

Note: Before making the changes evaluate the infrastructure and test.

 5,630 total views,  7 views today

Leave a Reply

Your email address will not be published. Required fields are marked *