Removing unconstrained delegation on AD machine accounts

sallowdk8600 1 Reputation point
2022-02-01T10:35:31.547+00:00

I've just started working for a company where I noticed that a bunch of our Windows servers have unconstrained delegation enabled on their AD machine account. I would like to either disable delegation altogether or limit the delegation to specific services/hosts. However, as I'm new to this environment (and there is no documentation) I'm not sure whether delegation is still needed for these servers. And if it is needed - to which servers and services is the delegation being used.

For now I want to focus on the machine accounts where delegation is enabled. How do I investigate this? I have searched for event id 4769 on the domain controllers, but I'm not able to interpret the logs properly. I was hoping that I would be able to see which servers and services the delegation is being used against? I mean; in AD I can see that a specific server is "trusted for delegation", but when the delegation is set to "any service", I need to find out against which services and servers it is being used.

Any help or insights would be greatly appreciated. Thanks!

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,898 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 39,371 Reputation points
    2022-02-02T10:56:13.187+00:00

    Hello

    Thank you for your question and reaching out.

    I can understand you are facing issue with event ID 4769.

    This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested.
    This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.

    You will typically see many Failure events with Failure Code “0x20”, which simply means that a TGS ticket has expired. These are informational messages and have little to no security relevance.

    https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769

    ------------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments