开发者

How do I query delegation properties of an active directory user account?

I am writing a utility to audit the configuration of a WCF service. In order to properly pass credentials from the client, thru the WCF service back to the SQL back end the domain account used to run the service must be configured in Active Directory with the setting "Trust this user for delegation" (Properties -> "Delegation" tab).

Using C#, how do I access the settings on this tab in Active Directory. I've spent the last 5 hours trying to track this down on the web and can't seem to find it.

Here's what I've done so far:

using (Domain domain = Domain.GetCurrentDomain())

{ Console.WriteLine(domain.Name);

// get domain "dev" from MSSQLSERVER service account
DirectoryEntry ouDn = new DirectoryEntry("LDAP://CN=Users,dc=dev,dc=mydomain,dc=lcl");
DirectorySearcher search = new DirectorySearcher(ouDn);

// get sAMAccountName "dev.services" from MSSQLSERVER service account
search.Filter = "(sAMAccountName=dev.services)";
search.PropertiesToLoad.Add("displayName");
search.PropertiesToLoad.Add("userAccountControl");

SearchResult result = search.FindOne();
if (result != null)
{
    Console.WriteLine(result.Properties["displayName"][0]);
    DirectoryEntry entry = result.GetDirectoryEntry();

    int userAccountControlFlags = (int)entry.Properties["userAccountControl"].Value;
    if ((userAccountControlFlags & (int)UserAccountControl.TRUSTED_FOR_DELEGATION) == (int)UserAccountControl.TRUSTED_FOR_DELEGATION)
        Console.WriteLine("TRUSTED_FOR_DELEGATION");
    else if ((userAccountControlFlags & (int)UserAccountControl.TRUSTED_TO_AUTH_FOR_DELEGATION) == (int)UserAccountControl.TRUSTED_TO_AUTH_FOR_DELEGATION)
        Console.WriteLine("TR开发者_JAVA百科USTED_TO_AUTH_FOR_DELEGATION");
    else if ((userAccountControlFlags & (int)UserAccountControl.NOT_DELEGATED) == (int)UserAccountControl.NOT_DELEGATED)
        Console.WriteLine("NOT_DELEGATED");

    foreach (PropertyValueCollection pvc in entry.Properties)
    {
        Console.WriteLine(pvc.PropertyName);
        for (int i = 0; i < pvc.Count; i++)
        {
            Console.WriteLine("\t{0}", pvc[i]);
        }
    }

}

}

The "userAccountControl" does not seem to be the correct property. I think it is tied to the "Account Options" section on the "Account" tab, which is not what we're looking for but this is the closest I've gotten so far.

The justification for all this is: We do not have permission to setup the service in QA or in Production, so along with our written instructions (which are notoriously only followed in partial) I am creating a tool that will audit the setup (WCF and SQL) to determine if the setup is correct. This will allow the person deploying the service to run this utility and verify everything is setup correctly - saving us hours of headaches and reducing downtime during deployment.


Probably too late, but eh...found it, so i thought i'd share it.

The property in question is called "msDS-AllowedToDelegateTo", and it'll only appear for accounts with configured SPN values, but it gives you a comprehensive list of all the services that your object is trusted for delegation with.

Hope this saves someone else having to read the kerberos spec for a few hours.


Ok, I was wrong. When I ran it the first time userAccountControl didn't have TRUSTED_FOR_DELEGATION set. I don't know if it was a caching issue or not. I've added:

entry.RefreshCache(new string[] {"userAccountControl"});

to make sure it doesn't cache the value. I don't know if this works or not, but I added it just in case.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜