Updates to TGT delegation across incoming trusts in Windows Server

Applies to: Windows Server 2008Windows Server 2008 R2Windows Server 2012 More

Summary


Forest trusts provide a secure way for resources in an Active Directory forest to trust identities from another forest. This trust is directional. A trusted forest can authenticate users to the trusting forest without allowing the reverse to occur.

Windows Server 2012 introduced Enforcement for Forest Boundary for Kerberos Full Delegation. This feature enables an administrator to configure a trusted forest to delegate or deny Ticket-Granting Tickets (TGTs) to services in the forest.

The default configuration for this feature is unsafe when incoming trusts are created. This is because the configuration lets an attacker in the trusting forest request delegation of a TGT for an identity from the trusted forest. This condition affects the following versions of Windows Server:

  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2012

Microsoft is releasing a series of hardening updates for the following operating systems:

  • Windows Server 2008 R2
  • Windows Server 2008

Microsoft is also planning to release a security update that is tentatively scheduled for July 9, 2019, to address this issue by adding a new safe default configuration for unconstrained Kerberos delegation across Active Directory forest trusts. The new configuration will also supersede the original unsafe configuration by backporting the feature to all supported versions of Windows Server that are listed in the "Applies to" section. The update may cause compatibility issues with applications that require unconstrained delegation across forest trusts.

For the tentative release dates, see Updates timeline.

Workaround


To work around this issue in a Windows Server version that has the feature, you can block TGT delegation across an incoming trust by setting the netdom flag EnableTGTDelegation to No, as follows:

netdom.exe trust fabrikam.com /domain:contoso.com /EnableTGTDelegation:No

Notes

  • This flag should be set in the trusted domain (such as contoso.com) for each trusting domain (such as fabrikam.com). After the flag is set, the trusted domain will no longer allow TGTs to be delegated to the trusting domain.
  • The secure state is No.
  • Any application or service that relies on unconstrained delegation across forests will fail. For more information about how to detect this failure, see Finding services that rely on unconstrained delegation.
  • For more information about how the tool works, see the Netdom.exe documentation.
  • See Updates timeline for a timeline of changes that affect how this workaround can be applied.

If the netdom flag cannot be set on a trust, you can mitigate risk by enabling Windows Defender Credential Guard on client computers. This prevents all unconstrained delegation from a computer that has Windows Defender Credential Guard enabled and running.

For more information about this procedure, see the following WIndows IT Pro Center article:

Protect derived domain credentials with Windows Defender Credential Guard

Updates timeline


March 12, 2019

The enforcement for forest boundary for Kerberos full delegation will be available as an update to enable this feature on all supported versions of Windows Server that are listed in the Applies to section at the top of this article. We recommend that you set the feature on incoming forest trusts.

The update will add the feature to the following systems:

  • Windows Server 2008 R2
  • Windows Server 2008
     

May 14, 2019

An update will be released to add a new safe default configuration. If you require delegation across trusts, the EnableTGTDelegation flag should be set before the final update is installed. If you do not require delegation across trusts, you should not set the EnableTGTDelegation flag. The EnableTGTDelegation flag can be ignored in Windows until the final update is installed to allow you to verify whether the final update may cause any compatibility issues.

As a part of the update, the EnableTGTDelegation flag will be set to No by default for any newly created trusts. This is the opposite of the previous behavior.

For more information about how to detect compatibility issues, see Finding services that rely on unconstrained delegation.

July 9, 2019

An update will be released that enforces the new default behavior on existing incoming trusts. To enable delegation across trusts and return to the original unsafe configuration, set the EnableTGTDelegation flag to Yes.

Finding services that rely on unconstrained delegation


To scan for forests that have incoming trusts that allow TGT delegation, and to find any security principals that allow unconstrained delegation, run the following PowerShell scripts in a script file (for example, Get-RiskyServiceAccountsByTrust.ps1 -Collect):

Note You can also pass the -ScanAll flag to search across trusts that do not allow TGT delegation.

The output of the PowerShell scripts list Active Directory security principals in domains that are configured for an incoming trust from the executing domain that has unconstrained delegation configured. The output wil resemble the following example.

domain

sAMAccountName

objectClass

partner.fabrikam.com

dangerous

user

partner.fabrikam.com

labsrv$

computer

Detecting unconstrained delegation through Windows events

When a Kerberos ticket is issued, an Active Directory domain controller logs the following security events. The events contain information about the target domain. You can use the events to determine whether unconstrained delegation is being used across incoming trusts.

Note Check for events that contain a TargetDomainName value that matches the trusted domain name.

Event log

Event source

Event ID

Details

Security Microsoft-Windows-Security-Auditing

4768

A Kerberos TGT was issued.

Security Microsoft-Windows-Security-Auditing

4769

A Kerberos Service Ticket was issued.

Security Microsoft-Windows-Security-Auditing

4770

A Kerberos Service Ticket was renewed.

Troubleshooting authentication failures

When unconstrained delegation is disabled, applications may have compatibility issues with these changes if the applications rely on unconstrained delegation. These applications should be configured to use constrained delegation or constrained delegation that is resource-based. For more information, see Kerberos Constrained Delegation Overview.

Applications that rely on round-trip authentication across trusts are not supported by using constrained delegation. For example, a delegation will fail if a user in Forest A authenticates to an application in Forest B, and the application in Forest B is trying to delegate a ticket back to Forest A.