Unconstrained Delegation Vulnerability

It appears that Microsoft has identified a vulnerability in unconstrained delegation and now recommends disabling it. We are currently waiting for internal approval for purchase of RCT Enterprise, and while reviewing the installation doc I learned that unconstrained delegation appears to be required. Can I please get some more information on this from the Recast perspective and whether or not there is a valid workaround or alternate configuration.

Here is the MSFT link for the vulnerability: ADV190006 | Guidance to mitigate unconstrained delegation vulnerabilities:

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190006 |

Thank you in advance!

You can either setup Recast Server with a service account or use the enterprise tools without a Recast Server to avoid using unconstrained delegation. Using a service account means all actions will run as that service account rather than as the user that launched the ConfigMgr console. Running the tools without a Recast Server will have all the tools run as the user that launched the ConfigMgr console, but you lose the ability to control Recast permissions.

Note that if you apply the EnableTGTDelegation:No mitigation, Recast Server will still work with unconstrained delegation within the same forest. It will only fail if your Recast Server is trying to hit a machine in another forest.

We will have another alternative in the 4.0 release that will let the tools run with all of the benefits of Recast Server (permissions, auditing, etc) but run actions as if running without Recast Server, so unconstrained delegation will not be required.

Hope that helps,