Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Finding out if client of domain controller is "Trusted for Delegat

0 views
Skip to first unread message

jimc

unread,
Dec 22, 2009, 12:47:02 PM12/22/09
to
I need to find out if a machine connected to a certain domain controller is
trusted for delegation by it. Is there any way to query the domain controller
for this information? Right now I have an application that simply gives
unhelpful errors when I try to query active directory while using Kerberos.

Jim

Joe Kaplan

unread,
Dec 22, 2009, 1:37:52 PM12/22/09
to
Trusted for delegation setting is a flag on the userAccountControl attribute
on the account in the directory that represents the security principal
(either a machine account or a user account if you use fixed service
accounts).

So, you can do an LDAP query for the account in question and return the
userAccountControl attribute. Then, just use a bitwise comparison to see if
either of the 2 flags for delegation are enabled. "Normal delegation" is
0x80000 and "protocol transition delegation" (or "trusted for delegation
with any protocol") is 0x1000000. You can also check the constrained
delegation settings by reading the msds-allowedToDelegateTo attribute. It
will contain the SPNs of the allowed delegation targets.


HTH!

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"jimc" <ji...@discussions.microsoft.com> wrote in message
news:B27656B0-B7C5-45CB...@microsoft.com...

0 new messages