Home
%3CLINGO-SUB%20id%3D%22lingo-sub-446905%22%20slang%3D%22en-US%22%3ERe%3A%20Changes%20to%20Ticket-Granting%20Ticket%20(TGT)%20Delegation%20Across%20Trusts%20in%20Windows%20Server%20(PFE%20edition)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-446905%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Brandon%20and%20team%20-%20thank%20you%20for%20sharing%20this%20and%20clearing%20outlining%20the%20issue%20and%20next%20steps.%20I%20just%20wanted%20to%20confirm%201%20thing.%20If%20we%20%3CSPAN%3Esimply%20wait%20until%207%2F9%2F2019%2C%20the%26nbsp%3BEnableTGTDelegation%20setting%20will%20automatically%20be%20set%20to%20%22No%22%20for%20all%20existing%20trusts%2C%20right%20(once%20the%20Windows%20Update%20is%20applied)%3F%20Thank%20you%20again!%20-N%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-447932%22%20slang%3D%22en-US%22%3ERe%3A%20Changes%20to%20Ticket-Granting%20Ticket%20(TGT)%20Delegation%20Across%20Trusts%20in%20Windows%20Server%20(PFE%20edition)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-447932%22%20slang%3D%22en-US%22%3E%3CP%3E%40Neil%20yes%20Sir%20you%20are%20right%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%3C%2FP%3E%0A%3CP%3EAlan%20%40PFE%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-481109%22%20slang%3D%22en-US%22%3ERe%3A%20Changes%20to%20Ticket-Granting%20Ticket%20(TGT)%20Delegation%20Across%20Trusts%20in%20Windows%20Server%20(PFE%20edition)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-481109%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20the%20%22next%20steps%22%20section%20a%20slash%20is%20missing%20in%20front%20of%20%2FEnableTGTDelegation%3ANo.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20how%20about%20bidirectional%20forest%20trusts%2C%20part%20of%20them%20is%20an%20inbound%20trust%20as%20well%20or%20am%20I%20missing%20something%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-568612%22%20slang%3D%22en-US%22%3ERe%3A%20Changes%20to%20Ticket-Granting%20Ticket%20(TGT)%20Delegation%20Across%20Trusts%20in%20Windows%20Server%20(PFE%20edition)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-568612%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%20for%20explaining%20this%20issue%20so%20well.%20Can%20you%20answer%20some%20additional%20questions%2C%20so%20we%20can%20better%20scope%20changes%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKerberos%20works%20properly%20with%20Forest%20trusts%2C%20but%20it%20can%20also%20work%20with%20External%20trust%2C%20by%20utilizing%20KFSO%2C%20for%20instance.%20What%20kind%20of%20trusts%20will%20be%20changed%20on%20July%209%3F%20In%20the%20article%20you%20only%20mention%20Forests%2C%20so%20it's%20a%20bit%20unclear.%20How%20about%20tree-root%20%2F%20parent-child%20trusts%20-%20will%20they%20be%20changed%20as%20well%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAll%20domain%20controllers%20by%20default%20are%20configured%20with%20unconstrained%20delegation.%20Should%20this%20be%20changed%20or%20is%20it%20necessary%20to%20function%20as%20a%20DC%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20in%20advance!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-575484%22%20slang%3D%22en-US%22%3ERe%3A%20Changes%20to%20Ticket-Granting%20Ticket%20(TGT)%20Delegation%20Across%20Trusts%20in%20Windows%20Server%20(PFE%20edition)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-575484%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F341876%22%20target%3D%22_blank%22%3E%40RossUA%3C%2FA%3E%20Only%20Forest%20Trusts%20are%20impacted.%20Domain%20trusts%20not%20affected.%3C%2FP%3E%0A%3CP%3EDCs%20remain%20as%20they%20are%20configured%20now.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%202008R2%20DCs%20the%20script%20doesn't%20work%20because%20it%20uses%20the%20Get-ADTrust%20command.%3C%2FP%3E%0A%3CP%3EWorkaround%20is%20to%20install%20RSAT%20on%202012%20member%20server%20and%20run%20the%20script%20from%20there.%20Currently%20tested%20and%20working.%3C%2FP%3E%0A%3CP%3EAlso%20for%20querying%20UserAccountControl%20quickly%20in%20the%20domain%3A%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%222%22%3ETRUSTED_FOR_DELEGATION%20524288%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20size%3D%222%22%3ETRUSTED_TO_AUTH_FOR_DELEGATION%2016777216%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%20style%3D%22background%3A%20white%3B%20text-autospace%3A%20none%3B%22%20dir%3D%22ltr%22%3E%3CFONT%20color%3D%22%23000000%22%20size%3D%221%22%3E%3CSPAN%20style%3D%22font-size%3A%209.0pt%3B%20font-family%3A%20'Lucida%20Console'%3B%20color%3A%20blue%3B%22%3Eget-aduser%3C%2FSPAN%3E%3CSPAN%20style%3D%22font-size%3A%209.0pt%3B%20font-family%3A%20'Lucida%20Console'%3B%22%3E%20%3CSPAN%20style%3D%22color%3A%20navy%3B%22%3E-ldapfilter%3C%2FSPAN%3E%20%3CFONT%20color%3D%22%23000000%22%20size%3D%221%22%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23000000%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2010.06px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSPAN%20style%3D%22box-sizing%3A%20border-box%3B%20font-family%3A%20%26amp%3Bquot%3B%20lucida%20console%26amp%3Bquot%3B%3B%20font-size%3A%209pt%3B%22%3E%3CSPAN%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20darkred%3B%20font-family%3A%20%26amp%3Bquot%3B%22%3E%3CSPAN%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20display%3A%20inline%3B%20float%3A%20none%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.4285%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CFONT%20face%3D%22%26quot%3BSegoeUI%26quot%3B%2C%26quot%3BLato%26quot%3B%2C%26quot%3BHelvetica%20Neue%26quot%3B%2CHelvetica%2CArial%2Csans-serif%22%20style%3D%22box-sizing%3A%20border-box%3B%22%3E%3CFONT%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-size%3A%2013.33px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSPAN%20style%3D%22box-sizing%3A%20border-box%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%209pt%3B%22%3E%3CSPAN%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20display%3A%20inline%3B%20float%3A%20none%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.4285%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CFONT%20style%3D%22box-sizing%3A%20border-box%3B%22%3E%22(userAccountControl%3A1.2.840.113556.1.4.803%3A%3D%3C%2FFONT%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3CSPAN%20style%3D%22color%3A%20darkred%3B%22%3E%3CFONT%20color%3D%22%23000000%22%20size%3D%221%22%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23000000%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2010.06px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSPAN%20style%3D%22box-sizing%3A%20border-box%3B%20font-family%3A%20%26amp%3Bquot%3B%20lucida%20console%26amp%3Bquot%3B%3B%20font-size%3A%209pt%3B%22%3E%3CSPAN%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20darkred%3B%20font-family%3A%20%26amp%3Bquot%3B%22%3E%3CSPAN%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20display%3A%20inline%3B%20float%3A%20none%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.4285%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CFONT%20face%3D%22%26quot%3BSegoeUI%26quot%3B%2C%26quot%3BLato%26quot%3B%2C%26quot%3BHelvetica%20Neue%26quot%3B%2CHelvetica%2CArial%2Csans-serif%22%20style%3D%22box-sizing%3A%20border-box%3B%22%3E%3CFONT%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-size%3A%2013.33px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSPAN%20style%3D%22box-sizing%3A%20border-box%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%209pt%3B%22%3E%3CSPAN%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20display%3A%20inline%3B%20float%3A%20none%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.4285%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CFONT%20style%3D%22box-sizing%3A%20border-box%3B%22%3E524288%3C%2FFONT%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FFONT%3E)%22%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%20style%3D%22background%3A%20white%3B%20text-autospace%3A%20none%3B%22%20dir%3D%22ltr%22%3E%3CFONT%20color%3D%22%23000000%22%20size%3D%221%22%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23000000%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2010.06px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CFONT%20size%3D%223%22%3E%3CSPAN%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20blue%3B%20font-family%3A%20%26amp%3Bquot%3B%20lucida%20console%26amp%3Bquot%3B%3B%20font-size%3A%209pt%3B%22%3Eget-aduser%3C%2FSPAN%3E%3C%2FFONT%3E%3CSPAN%20style%3D%22box-sizing%3A%20border-box%3B%20font-family%3A%20%26amp%3Bquot%3B%20lucida%20console%26amp%3Bquot%3B%3B%20font-size%3A%209pt%3B%22%3E%20%3CSPAN%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20navy%3B%20font-family%3A%20%26amp%3Bquot%3B%22%3E-ldapfilter%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3CFONT%20color%3D%22%23000000%22%20size%3D%221%22%3E%3CSPAN%20style%3D%22font-size%3A%209.0pt%3B%20font-family%3A%20'Lucida%20Console'%3B%22%3E%3CSPAN%20style%3D%22color%3A%20darkred%3B%22%3E%3CSPAN%20style%3D%22text-align%3A%20left%3B%20color%3A%20%23333333%3B%20text-transform%3A%20none%3B%20line-height%3A%201.4285%3B%20text-indent%3A%200px%3B%20letter-spacing%3A%20normal%3B%20font-family%3A%20'Segoe%20UI'%2CTahoma%2CArial%2C'Helvetica%20Neue'%2CHelvetica%2CSans-Serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20text-decoration%3A%20none%3B%20word-spacing%3A%200px%3B%20display%3A%20inline%20!important%3B%20white-space%3A%20normal%3B%20orphans%3A%202%3B%20float%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20background-color%3A%20%23ffffff%3B%22%3E%3CFONT%20face%3D%22%26quot%3BSegoeUI%26quot%3B%2C%26quot%3BLato%26quot%3B%2C%26quot%3BHelvetica%20Neue%26quot%3B%2CHelvetica%2CArial%2Csans-serif%22%3E%3CFONT%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2013.33px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSPAN%20style%3D%22box-sizing%3A%20border-box%3B%20font-family%3A%20%26amp%3Bquot%3B%20lucida%20console%26amp%3Bquot%3B%3B%20font-size%3A%209pt%3B%22%3E%26nbsp%3B%3CFONT%20color%3D%22%23000000%22%20size%3D%221%22%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23000000%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2010.06px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSPAN%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20darkred%3B%20font-family%3A%20%26amp%3Bquot%3B%22%3E%3CSPAN%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20display%3A%20inline%3B%20float%3A%20none%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.4285%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CFONT%20face%3D%22%26quot%3BSegoeUI%26quot%3B%2C%26quot%3BLato%26quot%3B%2C%26quot%3BHelvetica%20Neue%26quot%3B%2CHelvetica%2CArial%2Csans-serif%22%20style%3D%22box-sizing%3A%20border-box%3B%22%3E%3CFONT%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-size%3A%2013.33px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSPAN%20style%3D%22box-sizing%3A%20border-box%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%209pt%3B%22%3E%3CSPAN%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20display%3A%20inline%3B%20float%3A%20none%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.4285%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CFONT%20style%3D%22box-sizing%3A%20border-box%3B%22%3E%22(userAccountControl%3A1.2.840.113556.1.4.803%3A%3D%3C%2FFONT%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3CSPAN%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20darkred%3B%20font-family%3A%20%26amp%3Bquot%3B%22%3E%3CFONT%20color%3D%22%23000000%22%20size%3D%221%22%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23000000%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2010.06px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSPAN%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20display%3A%20inline%3B%20float%3A%20none%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.4285%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CFONT%20face%3D%22%26quot%3BSegoeUI%26quot%3B%2C%26quot%3BLato%26quot%3B%2C%26quot%3BHelvetica%20Neue%26quot%3B%2CHelvetica%2CArial%2Csans-serif%22%20style%3D%22box-sizing%3A%20border-box%3B%22%3E%3CFONT%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-size%3A%2013.33px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSPAN%20style%3D%22box-sizing%3A%20border-box%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%209pt%3B%22%3E16777216%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FSPAN%3E%3C%2FFONT%3E)%22%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FFONT%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20style%3D%22background%3A%20white%3B%20text-autospace%3A%20none%3B%22%20dir%3D%22ltr%22%3E%3CFONT%20color%3D%22%23000000%22%20size%3D%221%22%3E%3CSPAN%20style%3D%22font-size%3A%209.0pt%3B%20font-family%3A%20'Lucida%20Console'%3B%22%3E%3CSPAN%20style%3D%22color%3A%20darkred%3B%22%3E%3CSPAN%20style%3D%22text-align%3A%20left%3B%20color%3A%20%23333333%3B%20text-transform%3A%20none%3B%20line-height%3A%201.4285%3B%20text-indent%3A%200px%3B%20letter-spacing%3A%20normal%3B%20font-family%3A%20'Segoe%20UI'%2CTahoma%2CArial%2C'Helvetica%20Neue'%2CHelvetica%2CSans-Serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20text-decoration%3A%20none%3B%20word-spacing%3A%200px%3B%20display%3A%20inline%20!important%3B%20white-space%3A%20normal%3B%20orphans%3A%202%3B%20float%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20background-color%3A%20%23ffffff%3B%22%3E%3CFONT%20face%3D%22%26quot%3BSegoeUI%26quot%3B%2C%26quot%3BLato%26quot%3B%2C%26quot%3BHelvetica%20Neue%26quot%3B%2CHelvetica%2CArial%2Csans-serif%22%3E%3CFONT%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2013.33px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSPAN%20style%3D%22box-sizing%3A%20border-box%3B%20font-family%3A%20%26amp%3Bquot%3B%20lucida%20console%26amp%3Bquot%3B%3B%20font-size%3A%209pt%3B%22%3E%3CSPAN%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20darkred%3B%20font-family%3A%20%26amp%3Bquot%3B%22%3E%3CSPAN%20style%3D%22text-align%3A%20left%3B%20color%3A%20%23333333%3B%20text-transform%3A%20none%3B%20line-height%3A%201.4285%3B%20text-indent%3A%200px%3B%20letter-spacing%3A%20normal%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20text-decoration%3A%20none%3B%20word-spacing%3A%200px%3B%20display%3A%20inline%3B%20white-space%3A%20normal%3B%20box-sizing%3A%20border-box%3B%20orphans%3A%202%3B%20float%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20background-color%3A%20%23ffffff%3B%22%3E%3CFONT%20face%3D%22%26quot%3BSegoeUI%26quot%3B%2C%26quot%3BLato%26quot%3B%2C%26quot%3BHelvetica%20Neue%26quot%3B%2CHelvetica%2CArial%2Csans-serif%22%20style%3D%22box-sizing%3A%20border-box%3B%22%3E%3CSPAN%20style%3D%22box-sizing%3A%20border-box%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%209pt%3B%22%3E%3CFONT%20style%3D%22box-sizing%3A%20border-box%3B%22%3E%3CSPAN%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20display%3A%20inline%3B%20float%3A%20none%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.4285%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSPAN%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20blue%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%209pt%3B%22%3Eget-adcomputer%3C%2FSPAN%3E%20%3CSPAN%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20navy%3B%20font-family%3A%20%26amp%3Bquot%3B%22%3E-ldapfilter%3C%2FSPAN%3E%20%22(userAccountControl%3A1.2.840.113556.1.4.803%3A%3D524288)%22%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%20style%3D%22background-attachment%3A%20scroll%3B%20background-clip%3A%20border-box%3B%20background-color%3A%20white%3B%20background-image%3A%20none%3B%20background-origin%3A%20padding-box%3B%20background-position-x%3A%200%25%3B%20background-position-y%3A%200%25%3B%20background-repeat%3A%20repeat%3B%20background-size%3A%20auto%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%20margin%3A%200px%3B%22%20dir%3D%22ltr%22%3E%3CFONT%20color%3D%22%23000000%22%20size%3D%221%22%3E%3CSPAN%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20blue%3B%20font-family%3A%20%26amp%3Bquot%3B%20lucida%20console%26amp%3Bquot%3B%3B%20font-size%3A%209pt%3B%22%3Eget-adcomputer%3C%2FSPAN%3E%3CSPAN%20style%3D%22box-sizing%3A%20border-box%3B%20font-family%3A%20%26amp%3Bquot%3B%20lucida%20console%26amp%3Bquot%3B%3B%20font-size%3A%209pt%3B%22%3E%20%3CSPAN%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20navy%3B%20font-family%3A%20%26amp%3Bquot%3B%22%3E-ldapfilter%3C%2FSPAN%3E%20%3CFONT%20color%3D%22%23000000%22%20size%3D%221%22%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23000000%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2010.06px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSPAN%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20darkred%3B%20font-family%3A%20%26amp%3Bquot%3B%22%3E%3CSPAN%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20display%3A%20inline%3B%20float%3A%20none%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.4285%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CFONT%20face%3D%22%26quot%3BSegoeUI%26quot%3B%2C%26quot%3BLato%26quot%3B%2C%26quot%3BHelvetica%20Neue%26quot%3B%2CHelvetica%2CArial%2Csans-serif%22%20style%3D%22box-sizing%3A%20border-box%3B%22%3E%3CFONT%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-size%3A%2013.33px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSPAN%20style%3D%22box-sizing%3A%20border-box%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%209pt%3B%22%3E%3CSPAN%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20display%3A%20inline%3B%20float%3A%20none%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.4285%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CFONT%20style%3D%22box-sizing%3A%20border-box%3B%22%3E%22(userAccountControl%3A1.2.840.113556.1.4.803%3A%3D%3C%2FFONT%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3CSPAN%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20darkred%3B%20font-family%3A%20%26amp%3Bquot%3B%22%3E%3CFONT%20color%3D%22%23000000%22%20size%3D%221%22%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23000000%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2010.06px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSPAN%20style%3D%22background-color%3A%20%23ffffff%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20display%3A%20inline%3B%20float%3A%20none%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoe%20ui%26amp%3Bquot%3B%2Ctahoma%2Carial%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Csans-serif%3B%20font-size%3A%2014px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.4285%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CFONT%20face%3D%22%26quot%3BSegoeUI%26quot%3B%2C%26quot%3BLato%26quot%3B%2C%26quot%3BHelvetica%20Neue%26quot%3B%2CHelvetica%2CArial%2Csans-serif%22%20style%3D%22box-sizing%3A%20border-box%3B%22%3E%3CFONT%20style%3D%22box-sizing%3A%20border-box%3B%20color%3A%20%23333333%3B%20font-size%3A%2013.33px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%3CSPAN%20style%3D%22box-sizing%3A%20border-box%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%209pt%3B%22%3E16777216%3CFONT%20color%3D%22%23003900%22%3E)%22%3C%2FFONT%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FFONT%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%23003900%22%3ERegards%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%23003900%22%3EAlan%26nbsp%3B%40PFE%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-583981%22%20slang%3D%22en-US%22%3ERe%3A%20Changes%20to%20Ticket-Granting%20Ticket%20(TGT)%20Delegation%20Across%20Trusts%20in%20Windows%20Server%20(PFE%20edition)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-583981%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20clarifying!%20Just%20one%20more%20question%20-%20is%20it%20supported%20to%26nbsp%3Bset%26nbsp%3B%3CSPAN%3E%2FEnableTGTDelegation%3ANo%20on%20internal%20%22tree-root%22%20type%20of%20trusts%3F%20For%20instance%2C%20in%20cases%20when%20domains%20in%20the%20forest%20belong%20to%20different%20security%20classes%20(I%20know%20that%20Domain%20is%20not%20a%20security%20boundary%2C%20but%20we%20are%20dealing%20with%20some%20legacy%20designs).%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAs%20for%20the%20script%2C%20many%20organizations%20don't%20open%209389%20towards%20the%20domain%20controllers%20from%20trusting%20domain%2C%20keeping%20the%20amount%20of%20ports%20to%20absolute%20minimum.%20For%20the%20same%20reason%2C%20running%20a%20script%20from%20member%20server%20might%20not%20get%20necessary%20result%2C%20as%20firewall%20openings%20might%20be%20absent.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20changed%20the%20script%20to%20fall%20back%20to%20good%20old%20DirectorySearcher%20class%2C%20if%20AD%20cmdlets%20can't%20connect%20to%20the%20domain.%20The%20script%20is%20no%20longer%20so%20elegant%20but%20it's%20fit%20for%20purpose.%20Now%20thanks%20to%20your%20tip%20will%20add%20fall-back%20capability%20of%20getting%20trust%20information%20without%20Get-ADTrust.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20regards%2C%3C%2FP%3E%3CP%3ERoss%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-650503%22%20slang%3D%22en-US%22%3ERe%3A%20Changes%20to%20Ticket-Granting%20Ticket%20(TGT)%20Delegation%20Across%20Trusts%20in%20Windows%20Server%20(PFE%20edition)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-650503%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20tried%20to%20make%20this%20change%20for%20one%20of%20the%20customers%20today%20and%20it%20failed.%3CBR%20%2F%3E%3CBR%20%2F%3EAs%20an%20admin%20of%20Contoso%2C%20where%20Fabrikam%20trusts%20Contoso%20(in%20my%20case%20-%20two%20ways%20trust%2C%20but%20we%20are%20concerned%20about%20the%20incoming%20to%20Contoso)%2C%20I%20have%20run%20this%20command%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%3Enetdom.exe%20trust%20fabrikam.com%20%2Fdomain%3Acontoso.com%20EnableTGTDelegation%3ANo%3C%2FPRE%3E%3CP%3EThe%20result%20is%20%22Access%20denied%22.%20I%20have%20checked%20with%20%22whoami%20%2Fgroups%22%20that%20I%20have%20got%20Enterprise%20Admins%20and%20Domain%20Admins%20membership.%20DCs%20are%20fully%20patched%202012%20R2.%20After%20some%20unsuccessful%20troubleshooting%2C%20used%20Wireshark%20and%20found%20out%20that%20when%20this%20command%20is%20issued%2C%20a%20computer%20is%20connecting%20to%20a%20DC%20in%20Fabrikam%20domain%20and%20gets%20%22Access%20Denied%22%20error%3A%3C%2FP%3E%3CPRE%3ELSARPC%20218%20lsa_OpenPolicy2%20response%2C%20STATUS_ACCESS_DENIED%2C%20Error%3A%20STATUS_ACCESS_DENIED%3C%2FPRE%3E%3CP%3ESo%20it%20looks%20like%20it%20is%20trying%20to%20change%20a%20trust%20configuration%20on%20the%20Fabrikam%20forest%20side.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20I%20reverse%20a%20command%20to%20this%3A%3C%2FP%3E%3CPRE%3Enetdom.exe%20trust%20%3CFONT%20size%3D%223%22%3E%3CSTRONG%3Econtoso.com%3C%2FSTRONG%3E%3C%2FFONT%3E%20%2Fdomain%3A%3CFONT%20size%3D%223%22%3E%3CSTRONG%3Efabrikam.com%3C%2FSTRONG%3E%3C%2FFONT%3E%20EnableTGTDelegation%3ANo%3C%2FPRE%3E%3CP%3Eit%20kind%20of%20works%2C%20although%20it%20is%20misleading%3A%3C%2FP%3E%3CPRE%3EC%3A%5CWindows%5Csystem32%26gt%3Bnetdom%20trust%20contoso.com%20%2Fdomain%3Afabrikam.com%20%2FEnableTGTDelegation%3ANo%0ATGT%20delegation%20%3CFONT%20color%3D%22%23FF0000%22%3Eis%20already%20disabled%3C%2FFONT%3E.%0A%0AThe%20command%20completed%20successfully.%0A%0A%0AC%3A%5CWindows%5Csystem32%26gt%3Bnetdom%20trust%20contoso.com%20%2Fdomain%3Afabrikam.com%3CFONT%20color%3D%22%23FF0000%22%3E%20%2FEnableTGTDelegation%3C%2FFONT%3E%0ATGT%20Delegation%20%3CFONT%20color%3D%22%23FF0000%22%3Eis%20enabled.%3C%2FFONT%3E%0A%0AThe%20command%20completed%20successfully.%0A%0A%0AC%3A%5CWindows%5Csystem32%26gt%3Bnetdom%20trust%20contoso.com%20%2Fdomain%3Afabrikam.com%20%2FEnableTGTDelegation%3AYes%0AEnabling%20TGT%20delegation.%0A%0AWarning%3A%20enabling%20Kerberos%20full%20TGT%20delegation%20on%20outbound%20trusts%20is%20not%20recommended.%20See%20https%3A%2F%2Faka.ms%2Fnetdomtgtdelegation%20for%20more%20information.%0A%0AThe%20command%20completed%20successfully.%0A%0A%0AC%3A%5CWindows%5Csystem32%26gt%3Bnetdom%20trust%20contoso.com%20%2Fdomain%3Afabrikam.com%20%2FEnableTGTDelegation%3ANo%0ADisabling%20TGT%20delegation.%0A%0AThe%20command%20completed%20%3CFONT%20color%3D%22%23008000%22%3Esuccessfully.%3C%2FFONT%3E%0A%0A%0AC%3A%5CWindows%5Csystem32%26gt%3Bnetdom%20trust%20contoso.com%20%2Fdomain%3Afabrikam.com%20%2FEnableTGTDelegation%0ATGT%20Delegation%20%3CFONT%20color%3D%22%23008000%22%3Eis%20disabled.%3C%2FFONT%3E%0A%0AThe%20command%20completed%20successfully.%3C%2FPRE%3E%3CP%3EAfter%20this%20command%2C%20the%20trust%20attributes%20have%20been%20set%20to%200x208%2C%20but%20I'm%20a%20bit%20unsure%20if%20I%20have%20disabled%20TGT%20delegation%20for%20incoming%20trust%20to%20Fabrikam%2C%20or%20incoming%20trust%20for%20Contoso.%20According%20to%20the%20netdom%20command%20help%2C%20the%20command%20in%20the%20article%20is%20correct%2C%20so%20it%20seems%20like%20the%20TGT%20delegation%20should%20be%20disabled%20on%20a%20trusting%20forest%20side.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20had%20another%20pair%20of%20expert%20eyes%20looking%20at%20this%20and%20we%20couldn't%20find%20what%20goes%20wrong.%20Can%20you%20suggest%20what%20is%20the%20error%20please%3F%20I'm%20planning%20to%20create%20a%20case%20tomorrow.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-657807%22%20slang%3D%22en-US%22%3ERe%3A%20Changes%20to%20Ticket-Granting%20Ticket%20(TGT)%20Delegation%20Across%20Trusts%20in%20Windows%20Server%20(PFE%20edition)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-657807%22%20slang%3D%22en-US%22%3E%3CP%3E%3CFONT%20style%3D%22background-color%3A%20%23ffffff%3B%22%3ELittle%20update%20on%20this%20topic%20to%20make%20things%20a%20little%20clearer%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CU%3EMay%2014%2C%202019%3C%2FU%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CU%3EQuestion%3C%2FU%3E%3A%20An%20update%20will%20be%20released%20to%20introduce%20a%20new%20trust%20flag%20to%20add%20a%20new%20safe%20default%20configuration.%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EIf%20you%20install%20the%20May%20update%20on%202008R2%20forests%20then%20you%20will%20be%20able%20to%20set%20the%20%3CSTRONG%3EEnableTGTDelegation%20to%20YES%20%3C%2FSTRONG%3Efor%20each%20Trusts%20already%20in%20place%2C%20correct%3F%26nbsp%3B%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CU%3EAnswer%3C%2FU%3E%3A%20This%20is%20correct%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EAlso%20-%20This%20patch%20sets%20automatically%20all%20the%20existing%20trusts%20to%20%3CSTRONG%3EEnableTGTDelegation%20%3D%20YES%3F%3C%2FSTRONG%3E%3CBR%20%2F%3EIt%20will%20not%20change%20any%20behaviors%20of%20an%20existing%20trust.%3C%2FLI%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EBut%20if%20I%20create%20a%20%3CSTRONG%3ENEW%3C%2FSTRONG%3E%20trust%20in%20these%20forests%20the%20%3CSTRONG%3EEnableTGTDelegation%20is%20set%20by%20default%20to%20NO%2C%20%3C%2FSTRONG%3Ecorrect%3F%26nbsp%3B%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CU%3EAnswer%3A%3C%2FU%3E%20This%20is%20correct%3CBR%20%2F%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CU%3EQuestion%3C%2FU%3E%3A%20If%20you%20require%20delegation%20across%20trusts%2C%20the%20flag%20should%20be%20set%20before%20the%20final%20update%20is%20installed.%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EIf%20you%20apply%20the%20May%20update%2C%20you%20will%20need%20to%20set%20the%20%3CSTRONG%3EEnableTGTDelegation%20%3D%20YES%20%3C%2FSTRONG%3Ebefore%20the%20July%20update%20to%20continue%20using%20the%20Unconstrained%20Delegation%20across%20forest%2C%20correct%3F%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CU%3EAnswer%3C%2FU%3E%3A%20This%20is%20correct.%20You%20can%20set%20it%20after%20the%20July%20update%2C%20but%20that%E2%80%99s%20after%20the%20change%20and%20therefore%20may%20result%20in%20an%20outage.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CU%3EJuly%209%2C%202019%3C%2FU%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EQuestion%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EIf%20you%20set%20the%20%3CSTRONG%3EEnableTGTDelegation%20%3D%20YES%20%3C%2FSTRONG%3Eon%20existing%20trusts%20so%20you%20can%20continue%20to%20use%20the%20Kerberos%20Unconstrained%20delegation%20across%20forest%20(unsecure%20we%20know%20that)%2C%20then%20if%20you%20install%20the%20July%20update%20%3CSTRONG%3Ethe%20delegation%20will%20fail%3C%2FSTRONG%3E%26nbsp%3B%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CU%3EAnswer%3C%2FU%3E%3A%20This%20is%20correct%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CU%3EQuestion%3C%2FU%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EIf%20for%20some%20reason%20you%20set%20%3CSTRONG%3EEnableTGTDelegation%3DYES%3C%2FSTRONG%3E%20before%20the%20May%20update%20and%20didn%E2%80%99t%20touch%20it%20after%20the%20May%20update%2C%20you%20will%20have%20an%20issue.%20If%20you%20set%20%3CSTRONG%3EEnableTGTDelegation%3DYES%3C%2FSTRONG%3E%20after%20the%20May%20update%2C%20then%20the%20July%20update%20will%20not%20affect%20the%20trust%20at%20all.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CU%3EAnswer%3C%2FU%3E%3A%20This%20is%20correct%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CU%3EQuestion%3C%2FU%3E%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%20style%3D%22font-weight%3A%20400%3B%22%3EIf%20you%20don%E2%80%99t%20do%20anything%20after%20the%20installation%20of%20the%20MAY%2014%20patch%2C%20then%20apply%20the%20July%209%20Patch%20and%20discover%20for%20example%20on%20the%201st%20of%20August%20that%20an%20application%20doesn%E2%80%99t%20work%20anymore%20because%20the%20delegation%20is%20failing%2C%20you%20can%20configure%20%3CSTRONG%3EEnableTGTDelegation%20%3D%20YES%20%3C%2FSTRONG%3Eon%20the%20trusts%20and%20continue%20to%20work%20in%20an%20unsafe%20config.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CU%3EAnswer%3C%2FU%3E%3A%20This%20is%20correct.%20You%20can%20set%20%3CSTRONG%3EEnableTGTDelegation%3DYES%3C%2FSTRONG%3E%20and%20it%20will%20function%20again.%20The%20capability%20is%20not%20removed%20entirely%2C%20just%20now%20OFF%20by%20default.%3C%2FP%3E%0A%3CP%3EAdditionally%2C%20you%20can%20switch%20to%20resource-based%20constrained%20delegation%20if%20you%20want%20to%20stay%20in%20a%20secure%20state.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%3C%2FP%3E%0A%3CP%3EAlan%26nbsp%3B%40PFE%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-686457%22%20slang%3D%22en-US%22%3ERe%3A%20Changes%20to%20Ticket-Granting%20Ticket%20(TGT)%20Delegation%20Across%20Trusts%20in%20Windows%20Server%20(PFE%20edition)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-686457%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F140892%22%20target%3D%22_blank%22%3E%40BrandonWilson%3C%2FA%3E%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20created%20a%20case%20with%20MS%20Premier%20Support%2C%20reference%20number%20is%20119052823002455.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20answer%20in%20this%20case%20confirms%20my%20findings%20and%20states%20that%20the%20netdom%20trust%20command%20should%20be%20run%20with%20the%20reversed%20order%20of%20domain%20names.%20Instead%20of%20Trusting%20domain%2C%20you%20should%20specify%20Trusted%20and%20vice%20versa.%20So%20in%20scenario%2C%20where%20Fabrikam%20is%20resource%20domain%2C%20trusting%20Contoso%2C%20which%20is%20trusted%20account%20domain%2C%20the%20command%20should%20be%20run%20in%20Contoso%20and%20should%20look%20as%20follows%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3Enetdom.exe%20trust%26nbsp%3Bcontoso.com%26nbsp%3B%2Fdomain%3Afabrikam.com%20%2FEnableTGTDelegation%3ANo%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECould%20you%20please%20confirm%20that%20this%20is%20the%20right%20solution%3F%20Can%20you%20update%20the%20article%20to%20reflect%20this%20please%3F%20Netdom%20trust%20command%20description%20on%20docs.%20should%20be%20updated%20as%20well%20(or%20netdom%20tool%20should%20be%20patched%2C%20as%20I%20guess%20it%20is%20a%20bug%20in%20the%20tool).%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-440283%22%20slang%3D%22en-US%22%3EChanges%20to%20Ticket-Granting%20Ticket%20(TGT)%20Delegation%20Across%20Trusts%20in%20Windows%20Server%20(PFE%20edition)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-440283%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Everyone!%20Allen%20Sudbring%20here%2C%20Premier%20Field%20Engineer%20at%20Microsoft.%20Today%20I'm%20putting%20a%20post%20out%20to%20get%20some%20critical%20information%20to%20everyone%20who%20supports%20Windows%20Server%20and%20Active%20Directory%20Domain%20Services.%3C%2FP%3E%0A%3CP%3EIf%20you%20haven%E2%80%99t%20seen%20the%20KB%20article%20that%20this%20post%20references%20I%20encourage%20you%20to%20check%20out%20its%20content%2C%20I%20promise%20it%E2%80%99s%20important!%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4490425%2Fupdates-to-tgt-delegation-across-incoming-trusts-in-windows-server%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EKB4490425%20-%20Updates%20to%20TGT%20delegation%20across%20incoming%20trusts%20in%20Windows%20Server%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWith%20the%20introduction%20of%20Windows%20Server%202012%2C%20a%20new%20feature%20was%20added%20to%20Active%20Directory%20Domain%20Services%20that%20enforced%20the%20forest%20boundary%20for%20Kerberos%20unconstrained%20delegation.%20This%20allowed%20an%20administrator%20of%20a%20trusted%20forest%20to%20configure%20whether%20TGTs%20can%20be%20delegated%20to%20a%20service%20in%20the%20trusting%20forest.%20Unfortunately%2C%20an%20unsafe%2C%20default%20configuration%20exists%20within%20this%20feature%20when%20creating%20an%20inbound%20trust%20that%20could%20allow%20an%20attacker%20in%20the%20trusting%20forest%20to%20request%20the%20delegation%20of%20a%20TGT%20for%20an%20identity%20from%20the%20trusted%20forest.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESo%20what%20does%20this%20all%20mean%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELet's%20back%20up%20a%20little%20bit%20and%20do%20a%20brief%20explanation%20on%20Kerberos%20delegation.%3C%2FP%3E%0A%3CP%3EThere%20are%20three%20kinds%20of%20Kerberos%20delegation%20in%20Active%20Directory%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CP%3E%3CSTRONG%3EUnconstrained%3C%2FSTRONG%3E%3CBR%20%2F%3EWhen%20a%20Domain%20Administrator%20configures%20a%20service%E2%80%99s%20account%20to%20be%20trusted%20for%20unconstrained%20delegation%2C%20that%20service%20has%20the%20ability%20to%20impersonate%20any%20user%20account%20to%20any%20other%20service.%20This%20is%20the%20most%20insecure%20delegation%20option%2C%20because%20a%20service%20could%20impersonate%20any%20user%20to%20any%20other%20service%20it%20likes.%20For%20a%20regular%20user%20account%2C%20not%20so%20bad%2C%20but%20for%20a%20Domain%20Admin%20or%20an%20Enterprise%20Admin%2C%20a%20rogue%20service%20could%20request%20information%20from%20the%20domain%20or%20change%20user%20account%20or%20group%20permissions%20in%20the%20name%20of%20the%20privileged%20account.%20For%20this%20reason%2C%20unconstrained%20Kerberos%20delegation%20is%20a%20high%20security%20risk.%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CP%3E%3CSTRONG%3EConstrained%3C%2FSTRONG%3E%3CBR%20%2F%3EFirst%20introduced%20with%20Windows%20Server%202003%2C%20constrained%20delegation%20allows%20an%20administrator%20to%20limit%20the%20services%20to%20which%20an%20impersonated%20account%20can%20connect%20to.%20Constrained%20delegation%20is%20difficult%20to%20configure%20and%20requires%20unique%20SPN's%20to%20be%20registered%20as%20well%20as%20Domain%20Admin%20rights%20to%20implement.%20Constrained%20delegation%20cannot%20cross%20domain%20or%20forest%20boundaries.%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CP%3E%3CSTRONG%3EResource-based%20Constrained%3C%2FSTRONG%3E%3CBR%20%2F%3EFirst%20introduced%20with%20Windows%20Server%202012%2C%20Resource-based%20constrained%20delegation%20improved%20on%20the%20constrained%20delegation%20introduced%20with%20Windows%20Server%202003.%20It%20eliminated%20the%20need%20for%20SPNs%20by%20switching%20to%20security%20descriptors.%20This%20removed%20the%20need%20for%20Domain%20Admin%20rights%20to%20implement%20and%20allowed%20server%20administrators%20of%20backend%20services%20to%20control%20which%20service%20principals%20can%20request%20Kerberos%20tickets%20for%20another%20user.%20Resource%20based%20allows%20delegation%20across%20domain%20and%20forest%20boundaries.%3C%2FP%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EFor%20more%20information%20on%20Kerberos%20delegation%2C%20refer%20to%20this%20documentation%3A%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fsecurity%2Fkerberos%2Fkerberos-constrained-delegation-overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EKerberos%20Constrained%20Delegation%20Overview%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAll%20currently%20supported%20versions%20of%20Windows%20Server%20that%20are%20utilized%20for%20Active%20Directory%20Domain%20controllers%20have%20this%20vulnerability%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CP%3E%3CSTRONG%3EWindows%20Server%202008%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CP%3E%3CSTRONG%3EWindows%20Server%202008%20R2%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CP%3E%3CSTRONG%3EWindows%20Server%202012%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CP%3E%3CSTRONG%3EWindows%20Server%202012%20R2%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CP%3E%3CSTRONG%3EWindows%20Server%202016%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CP%3E%3CSTRONG%3EWindows%20Server%202019%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ELet%E2%80%99s%20say%20you%20are%20responsible%20for%20the%20Contoso%20forest%20and%20you%20have%20a%20partner%20who%20owns%20the%20Fabrikam%20forest%20whose%20resources%20your%20users%20use.%20How%20could%20an%20attacker%20in%20Fabrikam%20take%20advantage%20of%20this%20vulnerability%3F%3C%2FP%3E%0A%3CP%3EFirst%2C%20they%20need%20to%20have%20the%20ability%20to%20configure%20a%20service%20they%20own%20to%20be%20trusted%20for%20unconstrained%20delegation.%20By%20default%2C%20this%20requires%20domain%20administrator%20privilege%20in%20the%20%3CA%20href%3D%22http%3A%2F%2Ffabrikam.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Efabrikam.com%3C%2FA%3E%20forest.%3C%2FP%3E%0A%3CP%3ENext%2C%20they%20need%20to%20get%20your%20user%20to%20authenticate%20their%20rogue%20service%20in%20your%20partner%E2%80%99s%20Fabrikam%20forest.%3C%2FP%3E%0A%3CP%3ENow%20they%20have%20your%20user%E2%80%99s%20TGT%20which%20they%20can%20use%20to%20authenticate%20to%20any%20service%20as%20that%20user.%3C%2FP%3E%0A%3CH2%20class%3D%22mume-header%22%20id%3D%22toc-hId-1705536451%22%20id%3D%22toc-hId-1705536451%22%20id%3D%22toc-hId-1705536451%22%20id%3D%22toc-hId-1705536451%22%20id%3D%22toc-hId-1705536451%22%20id%3D%22toc-hId-1705536451%22%20id%3D%22toc-hId-1705536451%22%20id%3D%22toc-hId-1705536451%22%20id%3D%22toc-hId-1705536451%22%20id%3D%22toc-hId-1705536451%22%20id%3D%22toc-hId-1705536451%22%20id%3D%22toc-hId-1705536451%22%20id%3D%22toc-hId-1705536451%22%20id%3D%22toc-hId-1705536451%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CH2%20id%3D%22technical-overview-of-the-vulnerability%22%20class%3D%22mume-header%22%20id%3D%22toc-hId--846620510%22%20id%3D%22toc-hId--846620510%22%20id%3D%22toc-hId--846620510%22%20id%3D%22toc-hId--846620510%22%20id%3D%22toc-hId--846620510%22%20id%3D%22toc-hId--846620510%22%20id%3D%22toc-hId--846620510%22%20id%3D%22toc-hId--846620510%22%20id%3D%22toc-hId--846620510%22%20id%3D%22toc-hId--846620510%22%20id%3D%22toc-hId--846620510%22%20id%3D%22toc-hId--846620510%22%20id%3D%22toc-hId--846620510%22%20id%3D%22toc-hId--846620510%22%3ETechnical%20Overview%20of%20the%20Vulnerability%3C%2FH2%3E%0A%3CP%3EAs%20a%20consequence%20of%20this%20vulnerability%20an%20attacker%20who%20has%20control%20of%20a%20forest%20with%20an%20inbound%20trust%20to%20another%20forest%20can%20request%20a%20TGT%20for%20a%20user%20in%20the%20trusted%20forest%20by%20enabling%20unconstrained%20delegation%20on%20a%20service%20principal%20in%20the%20trusting%20forest.%20The%20attacker%20would%20need%20to%20convince%20the%20user%20to%20authenticate%20to%20the%20resource%20in%20the%20trusting%20forest%20thereby%20allowing%20the%20attacker%20to%20request%20a%20delegated%20TGT.%3C%2FP%3E%0A%3CP%3ETo%20mitigate%20this%20vulnerability%2C%20a%20netdom%20command%20can%20be%20executed%20that%20will%20disable%20TGT%20delegation.%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EEnableTGTDelegation%3C%2FSTRONG%3E%20flag%20is%20enabled%20on%20Windows%20Server%202008%20and%20Windows%20Server%202008%20R2%20devices%20after%20installing%20the%20March%2012%2C%202019%20updates.%20Windows%20Server%202012%20and%20higher%2C%20the%20%3CSTRONG%3EEnableTGTDelegation%3C%2FSTRONG%3E%20flag%20is%20in%20the%20operating%20system%20out%20of%20the%20box.%3C%2FP%3E%0A%3CP%3ETGT%20delegation%20across%20an%20incoming%20trust%20can%20be%20disabled%20by%20setting%20the%20%3CSTRONG%3EEnableTGTDelegation%3C%2FSTRONG%3E%20flag%20to%20%3CSTRONG%3ENo%3C%2FSTRONG%3E%20on%20the%20trust%20using%20netdom.%3C%2FP%3E%0A%3CPRE%20class%3D%22language-cmd%22%20data-role%3D%22codeBlock%22%20data-info%3D%22cmd%22%3E%3CCODE%3Enetdom.exe%20trust%20fabrikam.com%20%2Fdomain%3Acontoso.com%20%2FEnableTGTDelegation%3ANo%0A%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CUL%3E%0A%3CLI%3E%0A%3CP%3E%3CSTRONG%3EThis%20flag%20should%20be%20set%20in%20the%20trusted%20forest%20root%20domain%20(such%20as%20%3CA%20href%3D%22http%3A%2F%2Fcontoso.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Econtoso.com%3C%2FA%3E)%20for%20each%20trusting%20forest%20(such%20as%20%3CA%20href%3D%22http%3A%2F%2Ffabrikam.com%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Efabrikam.com%3C%2FA%3E).%20After%20the%20flag%20is%20set%2C%20the%20trusted%20forest%20will%20no%20longer%20allow%20TGTs%20to%20be%20delegated%20to%20the%20trusting%20forest.%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%0A%3CP%3E%3CSTRONG%3EThe%20secure%20state%20is%20No.%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%0A%3CP%3E%3CSTRONG%3EAny%20application%20or%20service%20that%20relies%20on%20unconstrained%20delegation%20across%20forests%20will%20fail.%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EStarting%20with%20the%20March%202019%20security%20updates%2C%20this%20ability%20was%20backported%20to%20%3CSTRONG%3EWindows%20Server%202008%20and%202008%20R2%3C%2FSTRONG%3E.%20Below%20is%20the%20following%20timeline%20that%20Microsoft%20has%20announced%20to%20address%20this%20vulnerability%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%0A%3CP%3E%3CSTRONG%3EMarch%2012%2C%202019%3C%2FSTRONG%3E%3CBR%20%2F%3EAbility%20to%20disable%20TGT%20delegation%20added%20to%20Windows%20Server%202008%20and%202008%20R2.%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%0A%3CP%3E%3CSTRONG%3EIMPORTANT%3C%2FSTRONG%3E%20-%20A%20known%20issue%20with%20this%20update%20has%20been%20discovered%20in%20relation%20to%20intra-forest%20scenarios%20and%20Windows%20Server%202008%2F2008R2.%20Authentication%20requests%20for%20accounts%20configured%20for%20unconstrained%20Kerberos%20delegation%20will%20incorrectly%20fail%20in%20intra-forest%20scenarios%20after%20the%20Kerberos%20ticket%20expires%20due%20to%20an%20issue%20that%20occurs%20after%20the%20March%202019%20updates.%3C%2FP%3E%0A%3CP%3EThe%20following%20updates%20are%20affected%20by%20this%20issue%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%0A%3CP%3E%3CSTRONG%3EWindows%20Server%202008%20SP2%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4489880%2Fwindows-server-2008-kb4489880%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMarch%2012%2C%202019%20%E2%80%94%20KB4489880%20(Monthly%20Rollup)%3C%2FA%3E%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4489876%2Fwindows-server-2008-kb4489876%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMarch%2012%2C%202019%20%E2%80%94%20KB4489876%20(Security-only%20update)%3C%2FA%3E%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4489887%2Fwindows-server-2008-update-kb4489887%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMarch%2019%2C%202019%20%E2%80%94%20KB4489887%20(Preview%20of%20Monthly%20Rollup)%3C%2FA%3E%3C%2FP%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3E%0A%3CP%3E%3CSTRONG%3EWindows%20Server%202008%20R2%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4489878%2Fwindows-7-update-kb4489878%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMarch%2012%2C%202019%20%E2%80%94%20KB4489878%20(Monthly%20Rollup)%3C%2FA%3E%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4489885%2Fwindows-7-update-kb4489885%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMarch%2012%2C%202019%20%E2%80%94%20KB4489885%20(Security-only%20update)%3C%2FA%3E%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4489892%2Fwindows-7-update-kb4489892%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EMarch%2019%2C%202019%20%E2%80%94%20KB4489892%20(Preview%20of%20Monthly%20Rollup)%3C%2FA%3E%3C%2FP%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EThe%20following%20workaround%20guidance%20is%20recommended%20if%20the%20update%20has%20been%20installed%3A%3C%2FP%3E%0A%3CP%3E%3CIMG%20src%3D%22https%3A%2F%2Fuser-images.githubusercontent.com%2F26909696%2F55690918-453d8100-595d-11e9-97a1-a037fb9f81b8.jpg%22%20border%3D%220%22%20alt%3D%22knownissue%22%20%2F%3E%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%0A%3CP%3E%3CSTRONG%3EMay%2014%2C%202019%3C%2FSTRONG%3E%3CBR%20%2F%3EAn%20update%20will%20be%20released%20that%20will%20change%20the%20default%20behavior%20of%20%3CSTRONG%3EEnableTGTDelegation%3C%2FSTRONG%3E%20to%20add%20a%20safe%20default%20configuration.%20If%20delegation%20is%20required%20across%20trusts%2C%20this%20flag%20should%20be%20set%20to%20%3CSTRONG%3EYes%3C%2FSTRONG%3E%20before%20the%20July%202019%20updates%20are%20installed.%20After%20this%20update%2C%20any%20newly%20created%20trusts%20will%20have%20the%20new%20default%20of%20%3CSTRONG%3EEnableTGTDelegation%3C%2FSTRONG%3E%20trust%20flag%20set%20to%20%3CSTRONG%3ENo%3C%2FSTRONG%3E.%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%0A%3CP%3E%3CSTRONG%3EJuly%209%2C%202019%3C%2FSTRONG%3E%3CBR%20%2F%3EAn%20update%20will%20be%20released%20that%20will%20force%20the%20trust%20flag%20on%20%3CSTRONG%3Eexisting%3C%2FSTRONG%3E%20trusts%20and%20disable%20TGT%20delegation%20by%20default.%20Any%20trust%20that%20has%20been%20configured%20to%20continue%20using%20delegation%20after%20May%2014%2C%202019%20will%20not%20be%20affected.%3C%2FP%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20July%202019%20update%20cycle%20is%20the%20one%20that%20could%20cause%20issues%20in%20an%20existing%20environment.%20After%20those%20month's%20updates%20are%20installed%2C%20any%20existing%20forest%20trusts%20will%20have%20TGT%20delegation%20disabled%20by%20default.%20This%20could%20cause%20applications%20and%20services%20to%20fail%20that%20require%20unconstrained%20delegation%20across%20a%20trust.%20Because%20of%20the%20possibility%20of%20this%20issue%20affecting%20customers%2C%20it%20is%20recommended%20that%20you%20start%20evaluating%20applications%20and%20accounts%20that%20might%20be%20affected%20by%20this%20change%20as%20soon%20as%20possible.%3C%2FP%3E%0A%3CP%3ETo%20help%20determine%20if%20any%20applications%20or%20accounts%20are%20using%20the%20unsafe%20delegation%2C%20use%20the%20following%20resources%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%0A%3CP%3E%3CSTRONG%3EPowerShell%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%0A%3CP%3EA%20quick%20command%20can%20be%20run%20against%20a%20trust%20from%20PowerShell%20that%20will%20determine%20if%20the%20flag%20is%20set%20on%20an%20inbound%20trust.%20Run%20this%20command%20from%20the%20forest%20that%20has%20the%20inbound%20trust%3A%3C%2FP%3E%0A%3CPRE%20class%3D%22language-powershell%22%20data-role%3D%22codeBlock%22%20data-info%3D%22powershell%22%3EGet%3CSPAN%20class%3D%22token%20operator%22%3E-%3C%2FSPAN%3EADTrust%20%3CSPAN%20class%3D%22token%20operator%22%3E-%3C%2FSPAN%3E%3CSPAN%20class%3D%22token%20keyword%22%3EFilter%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22token%20punctuation%22%3E%7B%3C%2FSPAN%3EDirection%20%3CSPAN%20class%3D%22token%20operator%22%3E-eq%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22token%20string%22%3E%22Inbound%22%3C%2FSPAN%3E%3CSPAN%20class%3D%22token%20punctuation%22%3E%7D%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22token%20punctuation%22%3E%7C%3C%2FSPAN%3E%20%3CSPAN%20class%3D%22token%20function%22%3Eft%3C%2FSPAN%3E%20Name%3CSPAN%20class%3D%22token%20punctuation%22%3E%2C%3C%2FSPAN%3ETGTDelegation%0A%3C%2FPRE%3E%0A%3CP%3EThe%20value%20returned%20from%20the%20above%20command%20is%20counterintuitive%20and%20is%20backwards%20from%20what%20you%20might%20expect%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%0A%3CP%3E%3CSTRONG%3EFALSE%3C%2FSTRONG%3E%20-%20A%20return%20of%20false%20means%20that%20the%20delegation%20is%20enabled%20and%20is%20in%20the%20unsafe%20state.%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%0A%3CP%3E%3CSTRONG%3ETRUE%3C%2FSTRONG%3E%20-%20A%20return%20of%20true%20indicates%20that%20the%20delegation%20is%20disabled%20and%20is%20in%20the%20safe%20state.%3C%2FP%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3E%0A%3CP%3EA%20script%20has%20been%20created%20that%20can%20scan%20forests%20that%20have%20incoming%20trusts%20that%20allow%20TGT%20delegation.%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%0A%3CP%3ERefer%20to%20this%20support%20article%20for%20the%20PowerShell%20code%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4490425%2Fupdates-to-tgt-delegation-across-incoming-trusts-in-windows-server%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EKB4490425%20-%20Updates%20to%20TGT%20delegation%20across%20incoming%20trusts%20in%20Windows%20Server%3C%2FA%3E%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%0A%3CP%3ECopy%20and%20Paste%20the%20code%20from%20the%20support%20article%20into%20a%20file%20named%20%3CSTRONG%3EGet-RiskyServiceAccountsByTrust.ps1%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%0A%3CP%3EThere%20are%20two%20options%20switches%20that%20the%20script%20can%20be%20executed%20with%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%0A%3CP%3E%3CSTRONG%3E-Collect%3C%2FSTRONG%3E%20will%20output%20any%20principals%20that%20have%20unconstrained%20delegation.%3C%2FP%3E%0A%3CPRE%20class%3D%22language-cmd%22%20data-role%3D%22codeBlock%22%20data-info%3D%22cmd%22%3E%3CCODE%3EGet-RiskyServiceAccountByTrust.ps1%20-Collect%0A%3C%2FCODE%3E%3C%2FPRE%3E%0A%3C%2FLI%3E%0A%3CLI%3E%0A%3CP%3E%3CSTRONG%3E-Collect%20-Scanall%3C%2FSTRONG%3E%20will%20output%20security%20principals%20that%20have%20unconstrained%20delegation%20and%20search%20across%20trusts%20that%20do%20not%20allow%20TGT%20delegation%3C%2FP%3E%0A%3CPRE%20class%3D%22language-cmd%22%20data-role%3D%22codeBlock%22%20data-info%3D%22cmd%22%3E%3CCODE%3EGet-RiskyServiceAccountByTrust.ps1%20-Collect%20-ScanAll%0A%3C%2FCODE%3E%3C%2FPRE%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CSTRONG%3EExample%20of%20Output%3C%2FSTRONG%3E%3A%3CBR%20%2F%3E%3CIMG%20src%3D%22https%3A%2F%2Fuser-images.githubusercontent.com%2F26909696%2F55266886-3106cf00-524d-11e9-828e-8728879b232c.jpg%22%20border%3D%220%22%20alt%3D%22PoSHOutput.jpg%22%20%2F%3E%3C%2FP%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3CLI%3E%0A%3CP%3E%3CSTRONG%3EEvent%20Viewer%2FEvent%20Logs%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%0A%3CP%3EIn%20an%20Active%20Directory%20domain%20when%20a%20Kerberos%20ticket%20is%20issued%2C%20the%20domain%20controller%20logs%20security%20events.%20These%20events%20contain%20information%20about%20the%20target%20domain%20and%20can%20be%20utilized%20to%20determine%20whether%20unconstrained%20delegation%20is%20being%20used%20across%20incoming%20trusts.%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%0A%3CP%3ECheck%20for%20events%20that%20contain%20a%20%3CSTRONG%3ETargetDomainName%3C%2FSTRONG%3E%20value%20that%20matches%20the%20trusted%20forest%20name.%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%0A%3CP%3ECheck%20for%20events%20that%20contain%20a%20%3CSTRONG%3ETicketOptions%3C%2FSTRONG%3E%20value%20that%20contains%20the%20%3CSTRONG%3Eok_as_delegate%3C%2FSTRONG%3E%20flag%20(0x00040000)%3CBR%20%2F%3E%3CIMG%20src%3D%22https%3A%2F%2Fuser-images.githubusercontent.com%2F26909696%2F55169601-12b4ac80-5143-11e9-81c4-c3be6c05fae7.jpg%22%20border%3D%220%22%20alt%3D%22TGTEventLogID.jpg%22%20%2F%3E%3C%2FP%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CH2%20class%3D%22mume-header%22%20id%3D%22toc-hId-896189825%22%20id%3D%22toc-hId-896189825%22%20id%3D%22toc-hId-896189825%22%20id%3D%22toc-hId-896189825%22%20id%3D%22toc-hId-896189825%22%20id%3D%22toc-hId-896189825%22%20id%3D%22toc-hId-896189825%22%20id%3D%22toc-hId-896189825%22%20id%3D%22toc-hId-896189825%22%20id%3D%22toc-hId-896189825%22%20id%3D%22toc-hId-896189825%22%20id%3D%22toc-hId-896189825%22%20id%3D%22toc-hId-896189825%22%20id%3D%22toc-hId-896189825%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CH2%20id%3D%22next-steps%22%20class%3D%22mume-header%22%20id%3D%22toc-hId--1655967136%22%20id%3D%22toc-hId--1655967136%22%20id%3D%22toc-hId--1655967136%22%20id%3D%22toc-hId--1655967136%22%20id%3D%22toc-hId--1655967136%22%20id%3D%22toc-hId--1655967136%22%20id%3D%22toc-hId--1655967136%22%20id%3D%22toc-hId--1655967136%22%20id%3D%22toc-hId--1655967136%22%20id%3D%22toc-hId--1655967136%22%20id%3D%22toc-hId--1655967136%22%20id%3D%22toc-hId--1655967136%22%20id%3D%22toc-hId--1655967136%22%20id%3D%22toc-hId--1655967136%22%3ENext%20Steps%3C%2FH2%3E%0A%3CUL%3E%0A%3CLI%3E%0A%3CP%3EUpdate%20any%20Windows%20Server%202008%20or%202008%20R2%20domain%20controllers%20with%20the%20March%202019%20security%20updates%20as%20soon%20as%20possible.%20%3CSTRONG%3EView%20known%20issues%20above%20before%20proceeding%3C%2FSTRONG%3E.%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%0A%3CP%3EDetermine%20the%20applications%20and%20accounts%20that%20could%20be%20affected%20now%2C%20and%20if%20there%20aren't%20any%2C%20and%20a%20trust%20is%20in%20place%2C%20disable%20the%20delegation%20as%20soon%20as%20possible%20to%20be%20in%20a%20safe%20configuration.%3C%2FP%3E%0A%3CPRE%20class%3D%22language-cmd%22%20data-role%3D%22codeBlock%22%20data-info%3D%22cmd%22%3E%3CCODE%3Enetdom.exe%20trust%20fabrikam.com%20%2Fdomain%3Acontoso.com%20%2FEnableTGTDelegation%3ANo%0A%3C%2FCODE%3E%3C%2FPRE%3E%0A%3C%2FLI%3E%0A%3CLI%3E%0A%3CP%3EApplications%20that%20rely%20on%20unconstrained%20delegation%20should%20be%20configured%20to%20use%20resource-constrained%20delegation.%20See%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fsecurity%2Fkerberos%2Fkerberos-constrained-delegation-overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EKerberos%20Constrained%20Delegation%20Overview%3C%2FA%3E%20for%20more%20information.%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%0A%3CP%3EOnce%20you%20have%20set%20the%20applications%20to%20resource-based%20constrained%20delegation%2C%20set%20the%20flag%20to%20%3CSTRONG%3ENo%3C%2FSTRONG%3E.%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%0A%3CP%3EIf%20it's%20determined%20that%20applications%20or%20accounts%20do%20exist%20that%20require%20this%20delegation%20in%20the%20environment%2C%20then%20set%20the%20flag%20to%20%3CSTRONG%3EYes%3C%2FSTRONG%3E%2C%20%3CSTRONG%3EBEFORE%3C%2FSTRONG%3E%20the%20July%202019%20updates.%20This%20is%20not%20recommended%20and%20should%20be%20avoided.%3C%2FP%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CH3%20class%3D%22mume-header%22%20id%3D%22toc-hId--109670306%22%20id%3D%22toc-hId--109670306%22%20id%3D%22toc-hId--109670306%22%20id%3D%22toc-hId--109670306%22%20id%3D%22toc-hId--109670306%22%20id%3D%22toc-hId--109670306%22%20id%3D%22toc-hId--109670306%22%20id%3D%22toc-hId--109670306%22%20id%3D%22toc-hId--109670306%22%20id%3D%22toc-hId--109670306%22%20id%3D%22toc-hId--109670306%22%20id%3D%22toc-hId--109670306%22%20id%3D%22toc-hId--109670306%22%20id%3D%22toc-hId--109670306%22%3E%26nbsp%3B%3C%2FH3%3E%0A%3CH3%20id%3D%22important-resources-and-links%22%20class%3D%22mume-header%22%20id%3D%22toc-hId-1633140029%22%20id%3D%22toc-hId-1633140029%22%20id%3D%22toc-hId-1633140029%22%20id%3D%22toc-hId-1633140029%22%20id%3D%22toc-hId-1633140029%22%20id%3D%22toc-hId-1633140029%22%20id%3D%22toc-hId-1633140029%22%20id%3D%22toc-hId-1633140029%22%20id%3D%22toc-hId-1633140029%22%20id%3D%22toc-hId-1633140029%22%20id%3D%22toc-hId-1633140029%22%20id%3D%22toc-hId-1633140029%22%20id%3D%22toc-hId-1633140029%22%20id%3D%22toc-hId-1633140029%22%3EImportant%20Resources%20and%20Links%3C%2FH3%3E%0A%3CUL%3E%0A%3CLI%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4490425%2Fupdates-to-tgt-delegation-across-incoming-trusts-in-windows-server%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EKB4490425%20-%20Updates%20to%20TGT%20delegation%20across%20incoming%20trusts%20in%20Windows%20Server%3C%2FA%3E%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fportal.msrc.microsoft.com%2Fen-us%2Fsecurity-guidance%2Fadvisory%2FADV190006%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EADV190006%20-%20Guidance%20to%20mitigate%20unconstrained%20delegation%20vulnerabilities%3C%2FA%3E%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows-server%2Fsecurity%2Fkerberos%2Fkerberos-constrained-delegation-overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EKerberos%20Constrained%20Delegation%20Overview%3C%2FA%3E%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2F389thoughts%2F2017%2F04%2F18%2Fget-rid-of-accounts-that-use-kerberos-unconstrained-delegation%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EGet%20rid%20of%20accounts%20that%20use%20Kerberos%20Unconstrained%20Delegation%3C%2FA%3E%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.petri.com%2Funderstanding-kerberos-delegation-in-windows-server-active-directory%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EUnderstanding%20Kerberos%20Delegation%20in%20Windows%20Server%20Active%20Directory%3C%2FA%3E%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fposts.specterops.io%2Fhunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EHunting%20in%20Active%20Directory%3A%20Unconstrained%20Delegation%20%26amp%3B%20Forests%20Trusts%3C%2FA%3E%3C%2FP%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CH3%20class%3D%22mume-header%22%20id%3D%22toc-hId--919016932%22%20id%3D%22toc-hId--919016932%22%20id%3D%22toc-hId--919016932%22%20id%3D%22toc-hId--919016932%22%20id%3D%22toc-hId--919016932%22%20id%3D%22toc-hId--919016932%22%20id%3D%22toc-hId--919016932%22%20id%3D%22toc-hId--919016932%22%20id%3D%22toc-hId--919016932%22%20id%3D%22toc-hId--919016932%22%20id%3D%22toc-hId--919016932%22%20id%3D%22toc-hId--919016932%22%20id%3D%22toc-hId--919016932%22%20id%3D%22toc-hId--919016932%22%3E%26nbsp%3B%3C%2FH3%3E%0A%3CH3%20id%3D%22acknowledgements%22%20class%3D%22mume-header%22%20id%3D%22toc-hId-823793403%22%20id%3D%22toc-hId-823793403%22%20id%3D%22toc-hId-823793403%22%20id%3D%22toc-hId-823793403%22%20id%3D%22toc-hId-823793403%22%20id%3D%22toc-hId-823793403%22%20id%3D%22toc-hId-823793403%22%20id%3D%22toc-hId-823793403%22%20id%3D%22toc-hId-823793403%22%20id%3D%22toc-hId-823793403%22%20id%3D%22toc-hId-823793403%22%20id%3D%22toc-hId-823793403%22%20id%3D%22toc-hId-823793403%22%20id%3D%22toc-hId-823793403%22%3EAcknowledgements%3C%2FH3%3E%0A%3CP%3EI%20would%20like%20to%20thank%20the%20following%20people%20for%20helping%20pull%20this%20post%20together%20and%20provide%20content%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%0A%3CP%3E%3CSTRONG%3EAlan%20La%20Pietra%20-%20Microsoft%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%0A%3CP%3E%3CSTRONG%3EDavid%20Loder%20-%20Microsoft%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%0A%3CP%3E%3CSTRONG%3ESteve%20Syfuhs%20-%20Microsoft%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%0A%3CP%3E%3CSTRONG%3EBrandon%20Wilson%20%E2%80%93%20Microsoft%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%0A%3CP%3E%3CSTRONG%3EMichiko%20Short%20-%20Microsoft%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%0A%3CP%3E%3CSTRONG%3EPaul%20Miller%20-%20Microsoft%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-440283%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20Everyone!%20Allen%20Sudbring%20here%2C%20Premier%20Field%20Engineer%20at%20Microsoft.%20Today%20I'm%20putting%20a%20post%20out%20to%20get%20some%20critical%20information%20to%20everyone%20who%20supports%20Windows%20Server%20and%20Active%20Directory%20Domain%20Services.%3C%2FP%3E%0A%3CP%3EIf%20you%20haven%E2%80%99t%20seen%20the%20KB%20article%20that%20this%20post%20references%20I%20encourage%20you%20to%20check%20out%20its%20content%2C%20I%20promise%20it%E2%80%99s%20important!%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4490425%2Fupdates-to-tgt-delegation-across-incoming-trusts-in-windows-server%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%20target%3D%22_blank%22%3EKB4490425%20-%20Updates%20to%20TGT%20delegation%20across%20incoming%20trusts%20in%20Windows%20Server%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-440283%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3Eallen%20sudbring%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EProductAnnoucement%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-758528%22%20slang%3D%22en-US%22%3ERe%3A%20Changes%20to%20Ticket-Granting%20Ticket%20(TGT)%20Delegation%20Across%20Trusts%20in%20Windows%20Server%20(PFE%20edition)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-758528%22%20slang%3D%22en-US%22%3ECan%20you%20explain%20in%20more%20details%20how%20third%20party%20applications%20can%20check%20the%20%22trustattribute%22%20attribute%20of%20the%20trust%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-adts%2Fe9a2d23c-c31e-4a6f-88a0-6646fdb51a3c%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-adts%2Fe9a2d23c-c31e-4a6f-88a0-6646fdb51a3c%3C%2FA%3E)%20to%20know%20if%20the%20trust%20is%20safe%20or%20not%20%3F%20(your%20powershell%20script%20relies%20on%20c%23%20classes%20which%20does%20check%20the%20trustattribute%20value)%20My%20understanding%20is%3A%208%20(forest%20trust)%20%3D%20unsafe%20and%20520%20(forest%20trust%20%2B%20no%20TGT%20delegation)%20%3D%20safe%20My%20problem%20is%20that%3A%20-%20default%20flag%20for%20creating%20a%20forest%20for%20years%20%3D%208%20-%20new%20flag%20after%20new%20trust%20created%20today%20on%20update%20Windows%20%3D%208%20-%20when%20%2FEnableTGTDelegation%3ANo%20%3D%208%20-%20when%20%2FEnableTGTDelegation%3AYes%20%3D%20520%20Is%20the%20new%20trust%20safe%20or%20should%20the%20flag%20be%20changed%20manually%20from%208%20to%20520%20%3F%20(aka%2C%20is%20the%20update%20in%20production%3F)%20Thanks%20in%20advance%20best%20regards%2C%20Vincent%20LE%20TOUX%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-758556%22%20slang%3D%22en-US%22%3ERe%3A%20Changes%20to%20Ticket-Granting%20Ticket%20(TGT)%20Delegation%20Across%20Trusts%20in%20Windows%20Server%20(PFE%20edition)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-758556%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F341876%22%20target%3D%22_blank%22%3E%40RossUA%3C%2FA%3Esorry%20for%20the%20late%20response%3C%2FP%3E%0A%3CP%3EThe%20bold%20text%20under%20the%20command%20states%20what%20you%20have%20confirmed.%20Flag%20should%20be%20set%20in%20Trusted%20forest%20for%20each%20Trusting%20forest%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETGT%20delegation%20across%20an%20incoming%20trust%20can%20be%20disabled%20by%20setting%20the%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3EEnableTGTDelegation%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eflag%20to%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3ENo%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eon%20the%20trust%20using%20netdom.%3C%2FP%3E%0A%3CPRE%20class%3D%22language-cmd%22%20data-role%3D%22codeBlock%22%20data-info%3D%22cmd%22%3E%3CCODE%3Enetdom.exe%20trust%20contoso.com%20%2Fdomain%3Afabrikam.com%20%2FEnableTGTDelegation%3ANo%0A%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CUL%3E%0A%3CLI%3E%0A%3CP%3E%3CSTRONG%3EThis%20flag%20should%20be%20set%20in%20the%20trusted%20forest%20root%20domain%20(such%20as%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22http%3A%2F%2Fcontoso.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Econtoso.com%3C%2FA%3E)%20for%20each%20trusting%20forest%20(such%20as%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22http%3A%2F%2Ffabrikam.com%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Efabrikam.com%3C%2FA%3E).%20After%20the%20flag%20is%20set%2C%3C%2FSTRONG%3E%3CSTRONG%3Ethe%20trusted%20forest%20will%20no%20longer%20allow%20TGTs%20to%20be%20delegated%20to%20the%20trusting%20forest.%3C%2FSTRONG%3E%3C%2FP%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3ERegards%3C%2FP%3E%0A%3CP%3EAlan%26nbsp%3B%40PFE%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-758561%22%20slang%3D%22en-US%22%3ERe%3A%20Changes%20to%20Ticket-Granting%20Ticket%20(TGT)%20Delegation%20Across%20Trusts%20in%20Windows%20Server%20(PFE%20edition)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-758561%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F377518%22%20target%3D%22_blank%22%3E%40vletoux%3C%2FA%3EHi%20Sir%2C%20sorry%20for%20the%20late%20response%3C%2FP%3E%0A%3CP%3EI%20didn't%20quite%20understand%20you%20question.%20If%20you%20have%20installed%20July%20update%20you%20should%20have%20%22TGTDelegation%20Disabled%20%3D%20safe%22%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20still%20change%20this%20value%20to%20Enabled%20in%20your%20org%20if%20required%2C%20but%20absolutely%20not%20recommended%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EAlan%26nbsp%3B%40PFE%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-758573%22%20slang%3D%22en-US%22%3ERe%3A%20Changes%20to%20Ticket-Granting%20Ticket%20(TGT)%20Delegation%20Across%20Trusts%20in%20Windows%20Server%20(PFE%20edition)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-758573%22%20slang%3D%22en-US%22%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%2C%20I'm%20not%20a%20noob%20regarding%20Active%20Directory%20security%20and%20especially%20about%20trusts%20%26amp%3B%20kerberos%20(search%20for%20my%20name)%20The%20post%20is%20very%20explicit%20regarding%20the%20manipulation%20that%20needs%20to%20be%20performed%20using%20netdom.%20The%20root%20cause%20of%20my%20question%20was%20to%20understand%20how%20did%20you%20enforce%20technically%20the%20TGTDelegation%20flag%20to%20check%20if%20it%20is%20enabled%20or%20not%20using%20third%20party%20software.%20(I'm%20editing%20the%20audit%20software%20named%20PingCastle%20-%20all%20audit%20software%20checks%20it%20with%20LDAP%20queries)%20So%20I%20built%20a%20lab%20just%20for%20it%20and%20the%20result%20is%20that%20I'm%20not%20able%20to%20know%20if%20the%20trust%20is%20protected%20or%20not%20against%20the%20TGT%20delegation%20issue.%20Using%20the%20latest%20iso%20of%20Windows%202019%2C%20with%20all%20updated%20applied%2C%20if%20I%20create%20a%20trust%20now%2C%20the%20trust%20is%20not%20indicated%20as%20protected%20by%20netdom.%20Has%20the%20update%20been%20cancelled%20%3F%20I%20think%20there%20is%20a%20misunderstanding%20that%2C%20because%20it%20is%20written%20that%20you%20should%20set%20a%20flag%20to%20set%20it%20as%20unsecure%2C%20but%20technically%2C%20you%20have%20to%20set%20a%20flag%20to%20set%20it%20as%20secure%20(whose%20name%20is%20TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION).%20best%20regards%2C%20Vincent%20LE%20TOUX%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-822518%22%20slang%3D%22en-US%22%3ERe%3A%20Changes%20to%20Ticket-Granting%20Ticket%20(TGT)%20Delegation%20Across%20Trusts%20in%20Windows%20Server%20(PFE%20edition)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-822518%22%20slang%3D%22en-US%22%3E%3CP%3EHello%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20looks%20like%20%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F4490425%2Fupdates-to-tgt-delegation-across-incoming-trusts-in-windows-server%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ethis%3C%2FA%3Earticle%20has%20been%20updated%20to%20reflect%20the%20proper%20order%20of%20the%20command.%20So%20it%20is%20true%2C%20that%20for%20this%20netdom%20trust%20command%2C%20TrustedDomain%20should%20come%20first%20and%20Trusting%20Domain%20should%20go%20second%20after%20%2Fdomain%3A%20switch.%20Could%20be%20also%20a%20good%20idea%2C%20to%20make%20a%20note%20about%20this%20reverse%20order%20in%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fprevious-versions%2Fwindows%2Fit-pro%2Fwindows-server-2012-R2-and-2012%2Fcc835085(v%3Dws.11)%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Enetdom%20documentation%3C%2FA%3E%26nbsp%3Bas%20all%20other%20netdom%20trust%20commands%20are%20run%20in%20reverse%20order.%20Maybe%20it%20is%20also%20good%20idea%20to%20update%20this%20article%2C%20as%20it%20says%20the%20opposite%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20917px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F128504iE84395E31E336EBF%2Fimage-dimensions%2F917x94%3Fv%3D1.0%22%20width%3D%22917%22%20height%3D%2294%22%20alt%3D%22clipboard_image_0.png%22%20title%3D%22clipboard_image_0.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20I%20support%20the%20question%20asked%20by%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F377518%22%20target%3D%22_blank%22%3E%40vletoux%3C%2FA%3E%26nbsp%3Band%20can%20add%2C%20that%20verification%20of%20this%20setting%20is%20not%20working%20with%20netdom.%20I%20have%20run%20this%20command%20in%203%20different%20forests%20for%20few%20different%20trusting%20domain%2Fforests%20and%20the%20result%20is%20always%20that%20TGT%20Delegation%20is%20Enabled%20(despite%20that%20trust%20flags%20for%20most%20domains%20are%200x0%2C%20for%20one%200x4%2C%20for%20another%200x8%20and%20one%20more%20has%200x800)%3C%2FP%3E%3CPRE%3EC%3A%5CWindows%5Csystem32%26gt%3Bnetdom%20trust%20contoso.com%20%2Fdomain%3Afabrikam.com%3CFONT%20color%3D%22%23FF0000%22%3E%20%2FEnableTGTDelegation%3C%2FFONT%3E%0ATGT%20Delegation%20%3CFONT%20color%3D%22%23FF0000%22%3Eis%20enabled.%3C%2FFONT%3E%0A%0AThe%20command%20completed%20successfully.%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20suppose%200x800%20is%20where%20the%20delegation%20is%20explicitly%20enabled%2C%20but%20it%20is%20not%20present%20in%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-adts%2Fe9a2d23c-c31e-4a6f-88a0-6646fdb51a3c%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Edocumentation%3C%2FA%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20it%20enough%20to%20assume%20that%20if%20July%20update%20is%20installed%20and%20trustAttributes%20does%20not%20contain%200x800%20bit%2C%20then%20TGT%20delegation%20is%20%3CSTRONG%3Enot%3C%2FSTRONG%3EEnabled%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F128508i33B4D092F2904CAA%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22clipboard_image_1.png%22%20title%3D%22clipboard_image_1.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20regards%2C%3C%2FP%3E%3CP%3ERoss%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-822531%22%20slang%3D%22en-US%22%3ERe%3A%20Changes%20to%20Ticket-Granting%20Ticket%20(TGT)%20Delegation%20Across%20Trusts%20in%20Windows%20Server%20(PFE%20edition)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-822531%22%20slang%3D%22en-US%22%3EFYI%2C%20I'm%20asking%20for%20an%20update%20of%20MS-ADTS%20about%20this%20new%20flag%20value.%20Please%20see%20the%20thread%20here%3A%20%3CA%20href%3D%22https%3A%2F%2Fsocial.msdn.microsoft.com%2FForums%2Fen-US%2F385d30ad-acf5-4fe6-ab5d-1ab01bb0f37f%2Fmsadts-61679-trustattributes%3Fforum%3Dos_windowsprotocols%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsocial.msdn.microsoft.com%2FForums%2Fen-US%2F385d30ad-acf5-4fe6-ab5d-1ab01bb0f37f%2Fmsadts-61679-trustattributes%3Fforum%3Dos_windowsprotocols%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-852852%22%20slang%3D%22en-US%22%3ERe%3A%20Changes%20to%20Ticket-Granting%20Ticket%20(TGT)%20Delegation%20Across%20Trusts%20in%20Windows%20Server%20(PFE%20edition)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-852852%22%20slang%3D%22en-US%22%3E%3CP%3Esuggest%20to%20update%20your%20one%20PS%20to%3A%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-csharp%22%3E%3CCODE%3EGet-ADTrust%20-Filter%20*%20%7C%20ft%20Name%2CDirection%2CTGTDelegation%20-a%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%20on%202008%20R2%20domain%20I%20got%3C%2FP%3E%3CP%3EWARNING%3A%20Failed%20to%20query%20ABC.CORP.%20Consider%20investigating%20seperately.%20One%20or%20more%20properties%20are%20invalid.%3CBR%20%2F%3EParameter%20name%3A%20msDS-AllowedToActOnBehalfOfOtherIdentity%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20need%20to%20comment%20out%20the%20%3CFONT%20face%3D%22arial%20black%2Cavant%20garde%22%3EmsDS-AllowedToActOnBehalfOfOtherIdentity%3C%2FFONT%3E%20in%20the%20script%20to%20make%20it%20run.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EStill%20confused%20if%20the%20%22TGTDelegation%22%20%3D%20FALSE%20can%20be%20relied%20on.%3C%2FP%3E%3CP%3EAlso%20with%20the%20comments%20about%20NETDOM%20here%20we%20got%20further%20uncertainty%20what%20the%20status%20of%20TGTDelegation%20is%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-854131%22%20slang%3D%22en-US%22%3ERe%3A%20Changes%20to%20Ticket-Granting%20Ticket%20(TGT)%20Delegation%20Across%20Trusts%20in%20Windows%20Server%20(PFE%20edition)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-854131%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F85517%22%20target%3D%22_blank%22%3E%40Tilo%20S%3C%2FA%3E%3C%2FP%3E%0A%3CP%3Eas%20stated%20in%20the%20article%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CP%3E%3CSTRONG%3EFALSE%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E-%20A%20return%20of%20false%20means%20that%20the%20delegation%20is%20enabled%20and%20is%20in%20the%20unsafe%20state.%3C%2FP%3E%0A%3C%2FLI%3E%0A%3CLI%3E%3CP%3E%3CSTRONG%3ETRUE%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E-%20A%20return%20of%20true%20indicates%20that%20the%20delegation%20is%20disabled%20and%20is%20in%20the%20safe%20state.%3C%2FP%3E%0A%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EFor%20%3CSPAN%3EmsDS-AllowedToActOnBehalfOfOtherIdentity%20you%20can%26nbsp%3B%3C%2FSPAN%3Etry%20to%20comment%20(%23)%20the%20three%20lines%20in%20the%20script%20where%20that%20attribute%20is%20listed%3C%2FP%3E%0A%3CPRE%20class%3D%22ng-scope%22%3E(msDS-AllowedToActOnBehalfOfOtherIdentity%3D*)%26nbsp%3B%3C%2FPRE%3E%0A%3CPRE%20class%3D%22ng-scope%22%3E%22msDS-AllowedToActOnBehalfOfOtherIdentity%22%20%3C%2FPRE%3E%0A%3CPRE%20class%3D%22ng-scope%22%3E%24resourceDelegation%20%3D%20%24account.'msDS-AllowedToActOnBehalfOfOtherIdentity'%20-ne%20%24null%20%26nbsp%3B%26nbsp%3B%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-854264%22%20slang%3D%22en-US%22%3ERe%3A%20Changes%20to%20Ticket-Granting%20Ticket%20(TGT)%20Delegation%20Across%20Trusts%20in%20Windows%20Server%20(PFE%20edition)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-854264%22%20slang%3D%22en-US%22%3E%3CDIV%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F87965%22%20target%3D%22_blank%22%3E%40Alan%20La%20Pietra%3C%2FA%3E%26nbsp%3B%3CFONT%3E%2C%20this%20can't%20be%20true.%20I%20have%20just%20checked%203%20different%20fully%20patched%20environments%20and%20for%20all%20trusts%2C%20TGTDelegation%20parameter%20is%20reported%20to%20be%20False.%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3ESo%2C%20either%20Get-ADTrust%20command%20is%20returning%20wrong%20results%2C%20or%20July%202019%20patch%20didn't%20close%20vulnerability%20after%20all.%20It%20would%20be%20nice%20if%20we%20get%20any%20information%20on%20which%20one%20is%20wrong%2C%20actually.%3C%2FFONT%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-951650%22%20slang%3D%22en-US%22%3ERe%3A%20Changes%20to%20Ticket-Granting%20Ticket%20(TGT)%20Delegation%20Across%20Trusts%20in%20Windows%20Server%20(PFE%20edition)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-951650%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EThis%20is%20all%20good%20and%20fine%20but%20how%20can%20we%20restore%20%22TGT%20Delegation%22%20in%20a%20MIT%20Kerberos%20Trust%20(and%20not%20a%20Forest-One)%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20servers%20principals%20are%20in%20the%20MIT%20Domain%20and%20we%20want%20to%20allow%20users%20to%20ssh-connect%20as%20their%20username%20and%20then%20been%20able%20to%20change%20privileges%20using%20%22ksu%22%20to%20some%20privileged%20accounts.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUsing%20GPO%20the%20Kerberos%20realm%20as%20been%20defined%20with%20flag%200x4%20and%20adequate%20dns%20mapping%2C%20servers%20principals%20have%20the%20%22OK_AS_DELEGATE%22%20and%26nbsp%3B%20%22OK_TO_AUTH_AS_DELEGATE%22%20flags%2C%20this%20worked%20fine%20up%20until%20the%20update....%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

Hello Everyone! Allen Sudbring here, Premier Field Engineer at Microsoft. Today I'm putting a post out to get some critical information to everyone who supports Windows Server and Active Directory Domain Services.

If you haven’t seen the KB article that this post references I encourage you to check out its content, I promise it’s important!

KB4490425 - Updates to TGT delegation across incoming trusts in Windows Server

 

With the introduction of Windows Server 2012, a new feature was added to Active Directory Domain Services that enforced the forest boundary for Kerberos unconstrained delegation. This allowed an administrator of a trusted forest to configure whether TGTs can be delegated to a service in the trusting forest. Unfortunately, an unsafe, default configuration exists within this feature when creating an inbound trust that could allow an attacker in the trusting forest to request the delegation of a TGT for an identity from the trusted forest.

 

So what does this all mean?

 

Let's back up a little bit and do a brief explanation on Kerberos delegation.

There are three kinds of Kerberos delegation in Active Directory:

  • Unconstrained
    When a Domain Administrator configures a service’s account to be trusted for unconstrained delegation, that service has the ability to impersonate any user account to any other service. This is the most insecure delegation option, because a service could impersonate any user to any other service it likes. For a regular user account, not so bad, but for a Domain Admin or an Enterprise Admin, a rogue service could request information from the domain or change user account or group permissions in the name of the privileged account. For this reason, unconstrained Kerberos delegation is a high security risk.

  • Constrained
    First introduced with Windows Server 2003, constrained delegation allows an administrator to limit the services to which an impersonated account can connect to. Constrained delegation is difficult to configure and requires unique SPN's to be registered as well as Domain Admin rights to implement. Constrained delegation cannot cross domain or forest boundaries.

  • Resource-based Constrained
    First introduced with Windows Server 2012, Resource-based constrained delegation improved on the constrained delegation introduced with Windows Server 2003. It eliminated the need for SPNs by switching to security descriptors. This removed the need for Domain Admin rights to implement and allowed server administrators of backend services to control which service principals can request Kerberos tickets for another user. Resource based allows delegation across domain and forest boundaries.

For more information on Kerberos delegation, refer to this documentation:

Kerberos Constrained Delegation Overview

 

All currently supported versions of Windows Server that are utilized for Active Directory Domain controllers have this vulnerability:

  • Windows Server 2008

  • Windows Server 2008 R2

  • Windows Server 2012

  • Windows Server 2012 R2

  • Windows Server 2016

  • Windows Server 2019

 

Let’s say you are responsible for the Contoso forest and you have a partner who owns the Fabrikam forest whose resources your users use. How could an attacker in Fabrikam take advantage of this vulnerability?

First, they need to have the ability to configure a service they own to be trusted for unconstrained delegation. By default, this requires domain administrator privilege in the fabrikam.com forest.

Next, they need to get your user to authenticate their rogue service in your partner’s Fabrikam forest.

Now they have your user’s TGT which they can use to authenticate to any service as that user.

 

Technical Overview of the Vulnerability

As a consequence of this vulnerability an attacker who has control of a forest with an inbound trust to another forest can request a TGT for a user in the trusted forest by enabling unconstrained delegation on a service principal in the trusting forest. The attacker would need to convince the user to authenticate to the resource in the trusting forest thereby allowing the attacker to request a delegated TGT.

To mitigate this vulnerability, a netdom command can be executed that will disable TGT delegation.

EnableTGTDelegation flag is enabled on Windows Server 2008 and Windows Server 2008 R2 devices after installing the March 12, 2019 updates. Windows Server 2012 and higher, the EnableTGTDelegation flag is in the operating system out of the box.

TGT delegation across an incoming trust can be disabled by setting the EnableTGTDelegation flag to No on the trust using netdom.

netdom.exe trust fabrikam.com /domain:contoso.com /EnableTGTDelegation:No
  • This flag should be set in the trusted forest root domain (such as contoso.com) for each trusting forest (such as fabrikam.com). After the flag is set, the trusted forest will no longer allow TGTs to be delegated to the trusting forest.

  • The secure state is No.

  • Any application or service that relies on unconstrained delegation across forests will fail.

 

Starting with the March 2019 security updates, this ability was backported to Windows Server 2008 and 2008 R2. Below is the following timeline that Microsoft has announced to address this vulnerability:

  • March 12, 2019
    Ability to disable TGT delegation added to Windows Server 2008 and 2008 R2.

    The following workaround guidance is recommended if the update has been installed:

    knownissue

  • May 14, 2019
    An update will be released that will change the default behavior of EnableTGTDelegation to add a safe default configuration. If delegation is required across trusts, this flag should be set to Yes before the July 2019 updates are installed. After this update, any newly created trusts will have the new default of EnableTGTDelegation trust flag set to No.

  • July 9, 2019
    An update will be released that will force the trust flag on existing trusts and disable TGT delegation by default. Any trust that has been configured to continue using delegation after May 14, 2019 will not be affected.

 

The July 2019 update cycle is the one that could cause issues in an existing environment. After those month's updates are installed, any existing forest trusts will have TGT delegation disabled by default. This could cause applications and services to fail that require unconstrained delegation across a trust. Because of the possibility of this issue affecting customers, it is recommended that you start evaluating applications and accounts that might be affected by this change as soon as possible.

To help determine if any applications or accounts are using the unsafe delegation, use the following resources:

  • PowerShell

    • A quick command can be run against a trust from PowerShell that will determine if the flag is set on an inbound trust. Run this command from the forest that has the inbound trust:

      Get-ADTrust -Filter {Direction -eq "Inbound"} | ft Name,TGTDelegation
      

      The value returned from the above command is counterintuitive and is backwards from what you might expect:

      • FALSE - A return of false means that the delegation is enabled and is in the unsafe state.

      • TRUE - A return of true indicates that the delegation is disabled and is in the safe state.

    • A script has been created that can scan forests that have incoming trusts that allow TGT delegation.

    • Refer to this support article for the PowerShell code:
      KB4490425 - Updates to TGT delegation across incoming trusts in Windows Server

    • Copy and Paste the code from the support article into a file named Get-RiskyServiceAccountsByTrust.ps1

    • There are two options switches that the script can be executed with:

      • -Collect will output any principals that have unconstrained delegation.

        Get-RiskyServiceAccountByTrust.ps1 -Collect
        
      • -Collect -Scanall will output security principals that have unconstrained delegation and search across trusts that do not allow TGT delegation

        Get-RiskyServiceAccountByTrust.ps1 -Collect -ScanAll
        

      Example of Output:
      PoSHOutput.jpg

  • Event Viewer/Event Logs

    • In an Active Directory domain when a Kerberos ticket is issued, the domain controller logs security events. These events contain information about the target domain and can be utilized to determine whether unconstrained delegation is being used across incoming trusts.

      • Check for events that contain a TargetDomainName value that matches the trusted forest name.

      • Check for events that contain a TicketOptions value that contains the ok_as_delegate flag (0x00040000)
        TGTEventLogID.jpg

 

Next Steps

  • Update any Windows Server 2008 or 2008 R2 domain controllers with the March 2019 security updates as soon as possible. View known issues above before proceeding.

  • Determine the applications and accounts that could be affected now, and if there aren't any, and a trust is in place, disable the delegation as soon as possible to be in a safe configuration.

    netdom.exe trust fabrikam.com /domain:contoso.com /EnableTGTDelegation:No
    
  • Applications that rely on unconstrained delegation should be configured to use resource-constrained delegation. See Kerberos Constrained Delegation Overview for more information.

  • Once you have set the applications to resource-based constrained delegation, set the flag to No.

  • If it's determined that applications or accounts do exist that require this delegation in the environment, then set the flag to Yes, BEFORE the July 2019 updates. This is not recommended and should be avoided.

 

 

Acknowledgements

I would like to thank the following people for helping pull this post together and provide content:

  • Alan La Pietra - Microsoft

  • David Loder - Microsoft

  • Steve Syfuhs - Microsoft

  • Brandon Wilson – Microsoft

  • Michiko Short - Microsoft

  • Paul Miller - Microsoft

19 Comments
Regular Visitor

Hi Brandon and team - thank you for sharing this and clearing outlining the issue and next steps. I just wanted to confirm 1 thing. If we simply wait until 7/9/2019, the EnableTGTDelegation setting will automatically be set to "No" for all existing trusts, right (once the Windows Update is applied)? Thank you again! -N

Microsoft

@Neil yes Sir you are right

 

Regards

Alan @PFE

Occasional Visitor

In the "next steps" section a slash is missing in front of /EnableTGTDelegation:No.

 

Also, how about bidirectional forest trusts, part of them is an inbound trust as well or am I missing something?

Senior Member

Thanks for explaining this issue so well. Can you answer some additional questions, so we can better scope changes?

 

Kerberos works properly with Forest trusts, but it can also work with External trust, by utilizing KFSO, for instance. What kind of trusts will be changed on July 9? In the article you only mention Forests, so it's a bit unclear. How about tree-root / parent-child trusts - will they be changed as well?

 

All domain controllers by default are configured with unconstrained delegation. Should this be changed or is it necessary to function as a DC?

 

Thanks in advance!

 

Microsoft

@RossUA Only Forest Trusts are impacted. Domain trusts not affected.

DCs remain as they are configured now.

 

For 2008R2 DCs the script doesn't work because it uses the Get-ADTrust command.

Workaround is to install RSAT on 2012 member server and run the script from there. Currently tested and working.

Also for querying UserAccountControl quickly in the domain:

TRUSTED_FOR_DELEGATION 524288

TRUSTED_TO_AUTH_FOR_DELEGATION 16777216

get-aduser -ldapfilter "(userAccountControl:1.2.840.113556.1.4.803:=524288)"

get-aduser -ldapfilter "(userAccountControl:1.2.840.113556.1.4.803:=16777216)" 

get-adcomputer -ldapfilter "(userAccountControl:1.2.840.113556.1.4.803:=524288)"

get-adcomputer -ldapfilter "(userAccountControl:1.2.840.113556.1.4.803:=16777216)"

 

Regards

Alan @PFE

Senior Member

@Alan La Pietra 

Thanks for clarifying! Just one more question - is it supported to set /EnableTGTDelegation:No on internal "tree-root" type of trusts? For instance, in cases when domains in the forest belong to different security classes (I know that Domain is not a security boundary, but we are dealing with some legacy designs).

 

As for the script, many organizations don't open 9389 towards the domain controllers from trusting domain, keeping the amount of ports to absolute minimum. For the same reason, running a script from member server might not get necessary result, as firewall openings might be absent.

 

I have changed the script to fall back to good old DirectorySearcher class, if AD cmdlets can't connect to the domain. The script is no longer so elegant but it's fit for purpose. Now thanks to your tip will add fall-back capability of getting trust information without Get-ADTrust.

 

Best regards,

Ross

Senior Member

I have tried to make this change for one of the customers today and it failed.

As an admin of Contoso, where Fabrikam trusts Contoso (in my case - two ways trust, but we are concerned about the incoming to Contoso), I have run this command:

 

netdom.exe trust fabrikam.com /domain:contoso.com EnableTGTDelegation:No

The result is "Access denied". I have checked with "whoami /groups" that I have got Enterprise Admins and Domain Admins membership. DCs are fully patched 2012 R2. After some unsuccessful troubleshooting, used Wireshark and found out that when this command is issued, a computer is connecting to a DC in Fabrikam domain and gets "Access Denied" error:

LSARPC 218 lsa_OpenPolicy2 response, STATUS_ACCESS_DENIED, Error: STATUS_ACCESS_DENIED

So it looks like it is trying to change a trust configuration on the Fabrikam forest side.

 

 

If I reverse a command to this:

netdom.exe trust contoso.com /domain:fabrikam.com EnableTGTDelegation:No

it kind of works, although it is misleading:

C:\Windows\system32>netdom trust contoso.com /domain:fabrikam.com /EnableTGTDelegation:No
TGT delegation is already disabled.

The command completed successfully.


C:\Windows\system32>netdom trust contoso.com /domain:fabrikam.com /EnableTGTDelegation
TGT Delegation is enabled.

The command completed successfully.


C:\Windows\system32>netdom trust contoso.com /domain:fabrikam.com /EnableTGTDelegation:Yes
Enabling TGT delegation.

Warning: enabling Kerberos full TGT delegation on outbound trusts is not recommended. See https://aka.ms/netdomtgtdelegation for more information.

The command completed successfully.


C:\Windows\system32>netdom trust contoso.com /domain:fabrikam.com /EnableTGTDelegation:No
Disabling TGT delegation.

The command completed successfully.


C:\Windows\system32>netdom trust contoso.com /domain:fabrikam.com /EnableTGTDelegation
TGT Delegation is disabled.

The command completed successfully.

After this command, the trust attributes have been set to 0x208, but I'm a bit unsure if I have disabled TGT delegation for incoming trust to Fabrikam, or incoming trust for Contoso. According to the netdom command help, the command in the article is correct, so it seems like the TGT delegation should be disabled on a trusting forest side.

 

I had another pair of expert eyes looking at this and we couldn't find what goes wrong. Can you suggest what is the error please? I'm planning to create a case tomorrow.

Microsoft

Little update on this topic to make things a little clearer

 

May 14, 2019

 

Question: An update will be released to introduce a new trust flag to add a new safe default configuration.

  • If you install the May update on 2008R2 forests then you will be able to set the EnableTGTDelegation to YES for each Trusts already in place, correct? 

Answer: This is correct

 

  • Also - This patch sets automatically all the existing trusts to EnableTGTDelegation = YES?
    It will not change any behaviors of an existing trust.
  • But if I create a NEW trust in these forests the EnableTGTDelegation is set by default to NO, correct? 

Answer: This is correct
 

Question: If you require delegation across trusts, the flag should be set before the final update is installed.

  • If you apply the May update, you will need to set the EnableTGTDelegation = YES before the July update to continue using the Unconstrained Delegation across forest, correct?

Answer: This is correct. You can set it after the July update, but that’s after the change and therefore may result in an outage.

 

July 9, 2019


Question:

  • If you set the EnableTGTDelegation = YES on existing trusts so you can continue to use the Kerberos Unconstrained delegation across forest (unsecure we know that), then if you install the July update the delegation will fail 

Answer: This is correct

 

Question

  • If for some reason you set EnableTGTDelegation=YES before the May update and didn’t touch it after the May update, you will have an issue. If you set EnableTGTDelegation=YES after the May update, then the July update will not affect the trust at all.

Answer: This is correct

 

Question:

  • If you don’t do anything after the installation of the MAY 14 patch, then apply the July 9 Patch and discover for example on the 1st of August that an application doesn’t work anymore because the delegation is failing, you can configure EnableTGTDelegation = YES on the trusts and continue to work in an unsafe config.

Answer: This is correct. You can set EnableTGTDelegation=YES and it will function again. The capability is not removed entirely, just now OFF by default.

Additionally, you can switch to resource-based constrained delegation if you want to stay in a secure state.

 

Regards

Alan @PFE

 

Senior Member

@BrandonWilson @Alan La Pietra 

 

I have created a case with MS Premier Support, reference number is 119052823002455.

 

The answer in this case confirms my findings and states that the netdom trust command should be run with the reversed order of domain names. Instead of Trusting domain, you should specify Trusted and vice versa. So in scenario, where Fabrikam is resource domain, trusting Contoso, which is trusted account domain, the command should be run in Contoso and should look as follows:

 

netdom.exe trust contoso.com /domain:fabrikam.com /EnableTGTDelegation:No

 

Could you please confirm that this is the right solution? Can you update the article to reflect this please? Netdom trust command description on docs. should be updated as well (or netdom tool should be patched, as I guess it is a bug in the tool).

Occasional Visitor
Can you explain in more details how third party applications can check the "trustattribute" attribute of the trust (https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/e9a2d23c-c31e-4a6f-88a0-6646fdb...) to know if the trust is safe or not ? (your powershell script relies on c# classes which does check the trustattribute value) My understanding is: 8 (forest trust) = unsafe and 520 (forest trust + no TGT delegation) = safe My problem is that: - default flag for creating a forest for years = 8 - new flag after new trust created today on update Windows = 8 - when /EnableTGTDelegation:No = 8 - when /EnableTGTDelegation:Yes = 520 Is the new trust safe or should the flag be changed manually from 8 to 520 ? (aka, is the update in production?) Thanks in advance best regards, Vincent LE TOUX
Microsoft

@RossUA sorry for the late response

The bold text under the command states what you have confirmed. Flag should be set in Trusted forest for each Trusting forest 

 

TGT delegation across an incoming trust can be disabled by setting the EnableTGTDelegation flag to No on the trust using netdom.

netdom.exe trust contoso.com /domain:fabrikam.com /EnableTGTDelegation:No
  • This flag should be set in the trusted forest root domain (such as contoso.com) for each trusting forest (such as fabrikam.com). After the flag is set, the trusted forest will no longer allow TGTs to be delegated to the trusting forest.

Regards

Alan @PFE

Microsoft

@vletoux Hi Sir, sorry for the late response

I didn't quite understand you question. If you have installed July update you should have "TGTDelegation Disabled = safe" 

You can still change this value to Enabled in your org if required, but absolutely not recommended

 

 

Alan @PFE

Occasional Visitor
Hi @Alan La Pietra, I'm not a noob regarding Active Directory security and especially about trusts & kerberos (search for my name) The post is very explicit regarding the manipulation that needs to be performed using netdom. The root cause of my question was to understand how did you enforce technically the TGTDelegation flag to check if it is enabled or not using third party software. (I'm editing the audit software named PingCastle - all audit software checks it with LDAP queries) So I built a lab just for it and the result is that I'm not able to know if the trust is protected or not against the TGT delegation issue. Using the latest iso of Windows 2019, with all updated applied, if I create a trust now, the trust is not indicated as protected by netdom. Has the update been cancelled ? I think there is a misunderstanding that, because it is written that you should set a flag to set it as unsecure, but technically, you have to set a flag to set it as secure (whose name is TRUST_ATTRIBUTE_CROSS_ORGANIZATION_NO_TGT_DELEGATION). best regards, Vincent LE TOUX
Senior Member

Hello @Alan La Pietra ,

 

It looks like this article has been updated to reflect the proper order of the command. So it is true, that for this netdom trust command, TrustedDomain should come first and Trusting Domain should go second after /domain: switch. Could be also a good idea, to make a note about this reverse order in netdom documentation as all other netdom trust commands are run in reverse order. Maybe it is also good idea to update this article, as it says the opposite:

clipboard_image_0.png

 

But I support the question asked by @vletoux and can add, that verification of this setting is not working with netdom. I have run this command in 3 different forests for few different trusting domain/forests and the result is always that TGT Delegation is Enabled (despite that trust flags for most domains are 0x0, for one 0x4, for another 0x8 and one more has 0x800)

C:\Windows\system32>netdom trust contoso.com /domain:fabrikam.com /EnableTGTDelegation
TGT Delegation is enabled.

The command completed successfully.

 

I suppose 0x800 is where the delegation is explicitly enabled, but it is not present in the documentation.

 

Is it enough to assume that if July update is installed and trustAttributes does not contain 0x800 bit, then TGT delegation is not Enabled?

 

clipboard_image_1.png

 

Best regards,

Ross

Occasional Visitor
FYI, I'm asking for an update of MS-ADTS about this new flag value. Please see the thread here: https://social.msdn.microsoft.com/Forums/en-US/385d30ad-acf5-4fe6-ab5d-1ab01bb0f37f/msadts-61679-tru...
New Contributor

suggest to update your one PS to:

Get-ADTrust -Filter * | ft Name,Direction,TGTDelegation -a

 

Also on 2008 R2 domain I got

WARNING: Failed to query ABC.CORP. Consider investigating seperately. One or more properties are invalid.
Parameter name: msDS-AllowedToActOnBehalfOfOtherIdentity

 

I need to comment out the msDS-AllowedToActOnBehalfOfOtherIdentity in the script to make it run.

 

Still confused if the "TGTDelegation" = FALSE can be relied on.

Also with the comments about NETDOM here we got further uncertainty what the status of TGTDelegation is

Microsoft

@Tilo S

as stated in the article

  • FALSE - A return of false means that the delegation is enabled and is in the unsafe state.

  • TRUE - A return of true indicates that the delegation is disabled and is in the safe state.

For msDS-AllowedToActOnBehalfOfOtherIdentity you can try to comment (#) the three lines in the script where that attribute is listed

(msDS-AllowedToActOnBehalfOfOtherIdentity=*) 
"msDS-AllowedToActOnBehalfOfOtherIdentity" 
$resourceDelegation = $account.'msDS-AllowedToActOnBehalfOfOtherIdentity' -ne $null   

 

Senior Member
@Alan La Pietra , this can't be true. I have just checked 3 different fully patched environments and for all trusts, TGTDelegation parameter is reported to be False.
 
So, either Get-ADTrust command is returning wrong results, or July 2019 patch didn't close vulnerability after all. It would be nice if we get any information on which one is wrong, actually.
Occasional Visitor

Hi,

This is all good and fine but how can we restore "TGT Delegation" in a MIT Kerberos Trust (and not a Forest-One) ?

 

My servers principals are in the MIT Domain and we want to allow users to ssh-connect as their username and then been able to change privileges using "ksu" to some privileged accounts.

 

Using GPO the Kerberos realm as been defined with flag 0x4 and adequate dns mapping, servers principals have the "OK_AS_DELEGATE" and  "OK_TO_AUTH_AS_DELEGATE" flags, this worked fine up until the update....