Skip to content

H3-2023-0009

Kerberos Unconstrained Delegation

Category SECURITY_MISCONFIGURATION
Base Score 7.1

Description

An Active Directory Principal (e.g. a User, Machine, or Service Account) can impersonate any unprotected domain principal when connecting to ANY service.

Impact

If an attacker obtains authentication material for the principal with Unconstrained Delegation privileges, the attacker could impersonate a domain administrator on any AD joined device, including Domain Controllers -- leading to domain compromise.

References