Macro photograph of a cryptographic hardware key plugged into an enterprise network server blade

How Hackers Bypass Multi-Factor Authentication

Kerberos delegation is a cryptographic ticketing system that allows a front-end server to impersonate a specific user when requesting data from a back-end database, a necessary architecture that attackers exploit to steal domain-wide administrative credentials.

AT A GLANCE

  • Concept: Cryptographic Ticketing: Users do not constantly transmit raw passwords; they exchange encrypted tickets to prove their identity to network services.
  • Concept: The Delegation Problem: A web server often needs to fetch data from a separate database on behalf of the user who logged into the web server.
  • Concept: Unconstrained Delegation: The server is granted permission to impersonate the user to any other machine on the entire corporate network.
  • Concept: Ticket Extraction: Attackers compromise the middle-tier server, steal the cached identity tickets of high-level administrators, and achieve total network control.

HOW IT WORKS

Modern enterprise networks rely on Microsoft Active Directory to manage millions of daily authentication requests. To verify identities securely without transmitting passwords across the physical network, Active Directory uses the Kerberos protocol.

Kerberos operates like a physical amusement park ticket booth. When a user logs in, the Domain Controller (the ticket booth) issues them a cryptographic Ticket Granting Ticket (TGT). The user presents this TGT to request specific Service Tickets to access file shares, printers, or internal websites.

The structural problem arises with multi-tier applications. If a user logs into a corporate web server, and that web server needs to pull the user’s specific financial records from a separate backend SQL database, the web server must prove to the database that it is acting on behalf of the user.

To solve this, Active Directory utilizes Kerberos Delegation. If the web server is configured for unconstrained delegation, the Domain Controller gives the web server a complete copy of the user’s original TGT. The web server stores this TGT in its active memory and uses it to impersonate the user perfectly when talking to the backend database.

The cryptography mathematically guarantees the identity, but it fundamentally relies on the absolute security of the middle-tier server holding the tickets. If the web server can prove it possesses the cryptographic TGT, the rest of the network blindly accepts the impersonation as legitimate.

WHY IT MATTERS NOW

Corporate networks are no longer monolithic, heavily guarded castles; they are highly distributed, interconnected webs of hybrid cloud applications and on-premises databases.

Identity has replaced the firewall as the primary security perimeter. Attackers no longer try to violently hack through network defenses. Instead, they find a low-level vulnerability, log in as a standard user, and map the internal Active Directory architecture to locate servers configured with unconstrained delegation.

If an attacker compromises one of these delegation servers, they do not execute destructive malware immediately. They simply wait. They wait for a Domain Administrator—an IT employee with absolute control over the entire network—to log into that specific server to perform routine maintenance.

The moment the administrator logs in, their highly privileged TGT is cached in the server’s memory. The attacker silently extracts this cryptographic ticket. Using a technique known as “Pass-the-Ticket,” the attacker injects this stolen TGT into their own session.

The attacker instantly becomes a Domain Administrator. They bypass all multi-factor authentication requirements because the network mathematically assumes the stolen ticket is valid. The attacker can now deploy ransomware simultaneously to every single machine in the corporation, effectively executing a fatal strike against the organization’s entire digital infrastructure. Cybersecurity firms like CrowdStrike categorize these specific Active Directory misconfigurations as the primary root cause of total enterprise ransomware encryption events.

WHAT MOST PEOPLE MISS

Executives often view cybersecurity as a software patching problem, assuming that if all servers run the latest updates, the network is secure. They completely miss the reality that Kerberos delegation is not a software bug or a coding error; it is a fully intentional, mathematically sound feature designed explicitly by Microsoft.

The vulnerability stems entirely from structural misconfiguration, not broken code. IT departments frequently enable unconstrained delegation to quickly fix complex application connectivity issues, prioritizing immediate uptime over long-term cryptographic isolation. They leave these configurations active for decades. Security software cannot “patch” unconstrained delegation because, to the operating system, the identity exchange is operating exactly as originally programmed.

THE TRAJECTORY

Next 12–36 Months: Major cybersecurity insurers will mandate the complete removal of unconstrained delegation across corporate networks as a strict prerequisite for policy renewal. Companies will be forced to implement resource-based constrained delegation, explicitly restricting which exact backend services a frontend server can impersonate.

Next Five Years: Enterprise architectures will heavily transition away from on-premises Kerberos protocols toward cloud-native identity standards like SAML and OAuth. This migration will fundamentally alter the attack surface, shifting the focus from extracting memory-resident cryptographic tickets to stealing browser-based session cookies.

Next Ten Years: Zero Trust Network Access (ZTNA) frameworks will dissolve the concept of localized domain trust entirely. Every single request between any two servers will require continuous, mathematically verified authorization, permanently eliminating the capability of a middle-tier server to broadly impersonate a user across the network.

What Could Go Wrong: The legacy transition is incredibly fragile. Many critical, bespoke corporate applications built in the early 2000s literally cannot function without unconstrained delegation. If network engineers aggressively disable these legacy trust settings without migrating the applications, massive internal financial and logistics systems will instantly disconnect, crippling business operations.

Most Likely Outcome: The extraction of Kerberos tickets will remain the primary pivot mechanism for sophisticated ransomware operators targeting hybrid enterprise environments. Until corporations systematically dismantle decades of legacy Active Directory trust configurations, identity impersonation will continue to bypass the most advanced endpoint detection software.

KEY TERMS

  • Kerberos: A computer network authentication protocol that works on the basis of cryptographic tickets to allow nodes communicating over a non-secure network to prove their identity securely.
  • Ticket Granting Ticket (TGT): A cryptographic token issued by the Domain Controller that proves a user’s identity and allows them to request access to other specific services.
  • Unconstrained Delegation: A specific Active Directory configuration that allows a server to accept a user’s TGT and impersonate that user to any other machine on the entire network.
  • Pass-the-Ticket: A post-exploitation technique where an attacker extracts a legitimate Kerberos ticket from system memory and uses it to authenticate themselves without needing a password.
  • Domain Controller: The central server in a Microsoft Active Directory network that manages security authentication requests and stores user account information.

SOURCES

  • Microsoft Learn — Kerberos Authentication and Delegation Architecture
  • MITRE ATT&CK — Steal or Forge Kerberos Tickets: Pass the Ticket (T1550.003)
  • CrowdStrike — Identity Protection and Active Directory Threat Hunting
  • Cybersecurity and Infrastructure Security Agency (CISA) — Mitigating Active Directory Compromises