Change coming in July 2019

Articles:

https://techcommunity.microsoft.com/t5/Core-Infrastructure-and-Security/Changes-to-Ticket-Granting-Ticket-TGT-Delegation-Across-Trusts/ba-p/440261

 

KB 4490425:

https://support.microsoft.com/en-us/help/4490425/updates-to-tgt-delegation-across-incoming-trusts-in-windows-server

 

Workaround:

To help determine if any applications or accounts are using the unsafe delegation, use the following resources:

  • PowerShell
    • A quick command can be run against a trust from PowerShell that will determine if the flag is set on an inbound trust. Run this command from the forest that has the inbound trust:
      Get-ADTrust -Filter {Direction -eq "Inbound"} | ft Name,TGTDelegation
      

      The value returned from the above command is counterintuitive and is backwards from what you might expect:

      • FALSE – A return of false means that the delegation is enabled and is in the unsafe state.
      • TRUE – A return of true indicates that the delegation is disabled and is in the safe state.
    • A script has been created that can scan forests that have incoming trusts that allow TGT delegation.
    • Refer to this support article for the PowerShell code:
      KB4490425 – Updates to TGT delegation across incoming trusts in Windows Server
    • Copy and Paste the code from the support article into a file named Get-RiskyServiceAccountsByTrust.ps1
    • There are two options switches that the script can be executed with:
      • -Collect will output any principals that have unconstrained delegation.
        Get-RiskyServiceAccountByTrust.ps1 -Collect
        
      • -Collect -Scanall will output security principals that have unconstrained delegation and search across trusts that do not allow TGT delegation
        Get-RiskyServiceAccountByTrust.ps1 -Collect -ScanAll
        

      Example of Output:
      PoSHOutput.jpg

  • Event Viewer/Event Logs

 

Advertisements