[cifs-protocol] 120020724000249 MS-KILE | TGT Delegation in external trusts

Isaac Boukris iboukris at gmail.com
Wed Feb 12 17:39:09 UTC 2020

Hi Sreekanth

On Wed, Feb 12, 2020 at 5:37 PM Sreekanth Nadendla
<srenaden at microsoft.com> wrote:
> Hello Isaac, Originally unconstrained delegation worked with external trusts. However a security patch changed the default behavior.
> •       Unconstrained Kerberos delegation is disabled by default on new forest and new external trusts after you install the May 14 update and later updates.
> •       Unconstrained Kerberos delegation is disabled on forests (both new and existing) and external trusts after you install the July 9, 2019, update and later updates.
> •       Administrators can enable unconstrained Kerberos delegation by using the May or later versions of NETDOM and AD PowerShell module.
> You can read more about this from the following article.
> https://support.microsoft.com/en-us/help/4490425/updates-to-tgt-delegation-across-incoming-trusts-in-windows-server

I didn't notice the article does in fact mention the external-trust
case, thank you for pointing that out.

Reading the article again, I also found the reason why it didn't work
for me, external-trusts are quarantined by default.
After running netdom-trust /Quarantine:no in addition to
/EnableTgtDelegation:yes, i get ok-as-delegate on external trust.

Quotes from the article:
This is especially true of external trust for which the quarantine
flag (also known as SID filtering) is enabled by default.
If you have a forest or external trust, and either are configured as
quarantined, TGT delegation cannot be enabled because the two flags
have opposite semantics. The quarantine bit strengthens the security
boundary between participating domains. Enabling TGT delegation erases
the security boundaries between domains by giving the trusting domain
access to the credentials of users from the trusted domain. You cannot
have it both ways.
Add the quarantine:no flag to the NETDOM command line syntax if the
quarantine flag is currently enabled.


More information about the cifs-protocol mailing list