Updates to TGT delegation across incoming trusts in Windows Server

Summary

---

Forest trusts provide a secure way for resources in an Active Directory forest to trust identities from another forest. This trust is directional. A trusted forest can authenticate users to the trusting forest without allowing the reverse to occur.

Windows Server 2012 introduced Enforcement for Forest Boundary for Kerberos Full Delegation. This feature enables an administrator to configure a trusted forest to delegate or deny Ticket-Granting Tickets (TGTs) to services in the forest.

The default configuration for this feature is unsafe when incoming trusts are created. This is because the configuration lets an attacker in the trusting forest request delegation of a TGT for an identity from the trusted forest. This condition affects the following versions of Windows Server:

• Windows Server 2019
• Windows Server 2016
• Windows Server 2012 R2
• Windows Server 2012

Microsoft is releasing a series of hardening updates for the following operating systems:

• Windows Server 2008 R2
• Windows Server 2008

Microsoft is also planning to release a security update that is tentatively scheduled for July 9, 2019, to address this issue by adding a new safe default configuration for unconstrained Kerberos delegation across Active Directory forest trusts. The new configuration will also supersede the original unsafe configuration by backporting the feature to all supported versions of Windows Server that are listed in the “Applies to” section. The update may cause compatibility issues with applications that require unconstrained delegation across forest trusts.

For the tentative release dates, see Updates timeline.

Workaround

---

To work around this issue in a Windows Server version that has the feature, you can block TGT delegation across an incoming trust by setting the netdom flag EnableTGTDelegationto No,as follows:

netdom.exe trust fabrikam.com /domain:contoso.com/EnableTGTDelegation:No

Notes

• This flag should be set in the trusted domain (such as contoso.com) for each trusting domain (such as fabrikam.com). After the flag is set, the trusted domain will no longer allow TGTs to be delegated to the trusting domain.
• The secure state is No.
• Any application or service that relies on unconstrained delegation across forests will fail. For more information about how to detect this failure, see Finding services that rely on unconstrained delegation.
• For more information about how the tool works, see the Netdom.exe documentation.
• See Updates timeline for a timeline of changes that affect how this workaround can be applied.

If the netdom flag cannot be set on a trust, you can mitigate risk by enabling Windows Defender Credential Guard on client computers. This prevents all unconstrained delegation from a computer that has Windows Defender Credential Guard enabled and running.

For more information about this procedure, see the following WIndows IT Pro Center article:

Protect derived domain credentials with Windows Defender Credential Guard