The server that can impersonate anyone
A host with unconstrained delegation caches the Kerberos ticket of everyone who connects, including a domain controller you can coerce. Here is how that becomes domain compromise, and how to remove it.
A legacy checkbox set years ago can hand an attacker the keys to the domain in minutes.
What it is
A computer trusted for unconstrained delegation stores the full Kerberos ticket-granting ticket of any account that authenticates to it, so it can act as that account anywhere. An attacker who controls or compromises such a host coerces a domain controller to authenticate to it, captures the DC’s ticket from memory, then impersonates the DC, leading to DCSync and full domain compromise. This is T1558 (Kerberos ticket abuse) with T1187 (forced authentication).
Why it works
The delegation is a legitimate, often legacy, configuration, and coercion is easy. A captured domain-controller ticket is the keys to the domain.
How to detect it
Inventory accounts configured for unconstrained delegation (a standing risk to fix, not just detect), watch for coercion (a domain controller authenticating to a non-DC host), and look for ticket misuse.
The fix that holds
Remove unconstrained delegation wherever possible and use constrained or resource-based delegation instead. Mark sensitive accounts as not delegated or add them to Protected Users, patch coercion vectors, and tier the admin model so a domain controller never authenticates to an untrusted host.
Practice it
We built an unconstrained-delegation scenario in GraphLattice Range so teams learn to find the standing risk and close the coercion-to-DCSync path.