Was provided as a mechanism in Windows 2000 Server to support users authenticating into a Web Server via Kerberos and updating records on the back end database on behalf of these users. This is commonly referred to as “Kerberos Double Hop Issue” and requires delegation in order to impersonate the user when modifying database records.
<aside> ⚠️ When set for a particular service account, unconstrained delegation allows delegation to any service to any resource on the domain as a user
</aside>
When unconstrained delegation is enabled, the Domain Controller places user's TGT inside TGS (Step 4 in the previous diagram). When presented to the server with unconstrained delegation, the TGT is extracted from TGS and stored in LSASS. This way the server can reuse the user's TGT to access any other resource as the user (the SQL server in this example).
But the webservice can do even more in that it can request access to other servers in the domain as well!
❗ This could be used to escalate privileges in case we can compromise the computer with unconstrained delegation (with TrustedForDelegation = TRUE) and a Domain Admin connects to that machine.
Remember that Kerberos Unconstrained Delegation gives the ability to impersonate users without Account is sensitive and cannot be delegated:
or without Do not trust this computer for delegation:
Discover domain computers which have unconstrained delegation enabled.
Using PowerView:
Get-DomainComputer -UnConstrained
Using ActiveDirectory module:
Get-ADComputer -Filter {TrustedForDelegation -eq $True}
Get-ADUser -Filter {TrustedForDelegation -eq $True}
Then compromise the server where Unconstrained delegation is enabled.