From Print Server to Domain Admin: Kerberos Delegation Abuse

Overview

Active Directory delegation is one of the most powerful — and most misunderstood — features in Windows environments. In this post, we walk through how unconstrained delegation on a single print server led to complete domain compromise.

What Is Kerberos Delegation?

Kerberos delegation allows a service to impersonate users when accessing other services on their behalf. Unconstrained delegation is the most dangerous variant: it allows a server to impersonate any user to any service.

The Attack Path

1. **Initial Access** — Compromised a workstation via phishing
2. **Enumeration** — Identified a print server with unconstrained delegation enabled
3. **Coercion** — Used the PrinterBug (MS-RPRN) to force the Domain Controller to authenticate to our compromised print server
4. **Capture** — Extracted the DC's TGT from memory using Rubeus
5. **DCSync** — Used the captured TGT to perform a DCSync attack, extracting all domain password hashes

Remediation

• Remove unconstrained delegation from all servers
• Migrate to constrained delegation or Resource-Based Constrained Delegation (RBCD)
• Add Domain Controllers to the "Protected Users" group
• Monitor for suspicious TGT requests and DCSync activity

Conclusion

A single misconfigured attribute on one server object led to total domain compromise. Active Directory security requires ongoing auditing of delegation settings, SPNs, and trust relationships.