Find and Block Unconstrained Delegation in Active Directory

Kerberos unconstrained delegation was introduced in Windows Server 2000. It was designed to let webservers, receiving authentication requests from users, to impersonate those accounts when updating records on backend database servers. Another way to think of unconstrained delegation is as a mechanism where a user sends its credentials to a service and then the service accesses resources on the user’s behalf. When services impersonate user accounts in this way, it is sometimes known as performing a ‘double-hop’.

Read More