Enabling Unconstrained Delegation on Active Directory Domains

Question

Where can i see the setting in domain , if i enable "unconstrained Delegation" by using below command?

netdom.exe trust fabrikam.com /domain:contoso.com /EnableTGTDelegation:Yes

score 1 · Answer 1 · answered Aug 01 '19 at 16:15

1

PowerShell module for Active Directory.

Get-ADTrust -Filter *

Direction               : BiDirectional
DisallowTransivity      : False
DistinguishedName       : CN=litware.com,CN=System,DC=contoso,DC=com
ForestTransitive        : False
IntraForest             : True
IsTreeParent            : False
IsTreeRoot              : False
Name                    : litware.com
ObjectClass             : trustedDomain
ObjectGUID              : 10233929-969d-453f-aaea-1a73f7659e74
SelectiveAuthentication : False
SIDFilteringForestAware : False
SIDFilteringQuarantined : False
Source                  : DC=contoso,DC=com
Target                  : litware.com
TGTDelegation           : True
TrustAttributes         : 32
TrustedPolicy           :
TrustingPolicy          :
TrustType               : Uplevel
UplevelOnly             : False
UsesAESKeys             : False
UsesRC4Encryption       : False

answered Aug 01 '19 at 16:15

Greg Askew

34,339
3
52
81

Thank you, there is little confusion; the status "TGTDelegation : True" means the delegation is disabled? and if its set to "False" its enabled? This confuses me a little, why the other way? – Darktux Aug 01 '19 at 17:01
No, True means it TGTDelegation is enabled. The secure state is False/No. False/No is also the default after the July 2019 update is installed. See: https://support.microsoft.com/en-us/help/4490425/updates-to-tgt-delegation-across-incoming-trusts-in-windows-server . – Greg Askew Aug 01 '19 at 18:30
I am referring to this article; The value returned from the above command is counterintuitive and is backwards from what you might expect: FALSE – A return of false means that the delegation is enabled and is in the unsafe state. TRUE – A return of true indicates that the delegation is disabled and is in the safe state. https://blogs.technet.microsoft.com/askpfeplat/2019/04/11/changes-to-ticket-granting-ticket-tgt-delegation-across-trusts-in-windows-server-askpfeplat-edition/ – Darktux Aug 07 '19 at 13:43

score 0 · Answer 2 · answered Sep 22 '21 at 16:06

I don't have enough reputation to make a comment, so I'm going to post this as an answer:

When you enable TGT delegation via netdom trust x /domain:y /EnableTgtDelegation:Yes (which is unsafe) then Get-ADTrust shows TGTDelegation : True.

When you disable TGT delegation via netdom trust x /domain:y /EnableTgtDelegation:No (which is safe) then Get-ADTrust shows TGTDelegation : False.

This is on Windows Server 2019 Version 1809 (OS Build 17763.2061) with WSUS updates applied as of July 2021.

This disagrees with the comment @Darktux made on the other answer.

Enabling Unconstrained Delegation on Active Directory Domains

2 Answers2