Print Server Unconstrained Delegation: The PetitPotam Path
A file or print server left with the legacy Trust this computer for delegation to any service flag caches every Domain Controller TGT that authenticates to it, and PetitPotam or the Print Spooler bug can force that authentication on demand, turning a single forgotten server into a domain compromise vector that certificate audits and firewall rules never catch.
At a glance
- Unsafe setting
- A domain-joined server retains the TRUSTED_FOR_DELEGATION userAccountControl flag from legacy provisioning.
- Failure trigger
- PetitPotam or the Print Spooler bug coerces a Domain Controller into authenticating to the flagged server, caching its TGT in LSASS.
- Blast radius
- An attacker with local admin on the flagged server harvests the cached DC TGT and replays it to obtain DCSync rights across the domain.
- Recommended control
- Clear TRUSTED_FOR_DELEGATION on all non-essential servers, migrate to resource-based constrained delegation, disable unused Spooler services, and enrol Tier 0 accounts in Protected Users.
Fix commands and configuration
Set-ADAccountControl -Identity SRV-PRINT01 -TrustedForDelegation $falsemsDS-AllowedToActOnBehalfOfOtherIdentityStop-Service Spooler; Set-Service Spooler -StartupType DisabledThe Trap
Unconstrained Kerberos delegation, set via the userAccountControl bit TRUSTED_FOR_DELEGATION (0x00080000), left enabled on a domain-joined member server rather than being restricted to constrained or resource-based delegation.
The Default State
Legacy provisioning scripts and older AD CS, print, and file server build guides tick “Trust this computer for delegation to any service (Kerberos only)” on the computer object’s Delegation tab during setup, usually to solve a double-hop authentication problem quickly. Nobody revisits it once the underlying application issue is fixed. A quick check with Get-ADComputer -Filter {TrustedForDelegation -eq $true} -Properties TrustedForDelegation across most mature estates returns print servers, SCCM distribution points, and old SharePoint front ends that have carried the flag for years.
The Blast Radius
Any server with this flag caches the full Kerberos TGT of every account, including Domain Controller machine accounts, that authenticates to it, storing it in LSASS memory. An attacker with local admin on that box runs mimikatz sekurlsa::tickets /export or Rubeus to harvest a DC’s TGT directly. They then use PetitPotam or the Print Spooler “PrinterBug” (MS-RPRN RPC calls) to coerce a Domain Controller into authenticating to the compromised server on demand, rather than waiting for it to happen naturally. The harvested DC computer account TGT is replayed via Rubeus.exe ptt to request a Golden-Ticket-equivalent TGS for the DC’s own krbtgt or LDAP service, giving full domain replication rights (DCSync) within minutes. Standard NTLM relay defences and SMB signing do not touch this path because the abuse is entirely Kerberos-native.
The Lead Mechanic Fix
Audit every computer object for the flag with the ADSI query above, then clear it: Set-ADAccountControl -Identity SRV-PRINT01 -TrustedForDelegation $false. Replace the delegation need with resource-based constrained delegation using msDS-AllowedToActOnBehalfOfOtherIdentity scoped to the exact target SPN. Disable the Print Spooler service on every server that is not an actual print server (Stop-Service Spooler; Set-Service Spooler -StartupType Disabled), enable EFS/PetitPotam mitigations via the RPC filter for EFSRPC, and place all Tier 0 accounts, including DC machine accounts by policy, into the Protected Users group so their TGTs cannot be cached or renewed by delegating hosts.