Dangerous Kerberos Delegation



The Kerberos protocol, which is central to Active Directory security, permits select servers to reuse user credentials. If an attacker compromises one of these servers, they could steal these credentials and use them to authenticate on other resources.


The only accounts using unconstrained delegation should be the domain controller accounts. Administrators should also be protected against any dangerous delegation type.

See Also

Kerberos Unconstrained Delegation (or How Compromise of a Single Server Can Compromise the Domain)

Get rid of accounts that use Kerberos Unconstrained Delegation

Abusing Resource-Based Constrained Delegation to Attack Active Directory

Indicator Details

Name: Dangerous Kerberos Delegation


Severity: Critical

MITRE ATT&CK Information:

Tactics: TA0004, TA0003

Attacker Known Tools

HarmJ0y, Elad Shamir: Rubeus