This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 62%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
Hello
Can someone please let me with the following question
If I take an AD User Object e.g. UserA (who I set a dummy SPN on just so I can see the 'delegation' tab in ADUC GUI)
If I go to the Delegation tab of the user and set 'Trust this user for delegation to any service (Kerberos only)' aka unconstrained delegation (as far as I am aware, I believe it is also called S4U2Self)
Then when you check the UserAccountControl with a script (I have have tried several) the following it set to True
TRUSTED_FOR_DELEGATION
OK, makes sense so far
if I then set the following in the Delegation tab 'Trust this user for delegation to the specified service only' then I go the section below (which is now available and I have to completed) and set 'Use any authentication protocol' then chose an SPN for a give host on the network.
Then I check the UserAccountControl with a script I now get the following
TRUSTED_TO_AUTH_FOR_DELEGATION
Again the above makes sense (aka constrained delegation which I believe is also known as S4U2SelfProxy)
However this following I do not understand
If I go back to the delegation tab set the following 'Use any authentication protocol' then I go the section below and this time I choose 'Use Kerberos Only'
Then when I run the script, this time the UserAccountControl returns nothing for either TRUSTED_FOR_DELEGATION or TRUSTED_TO_AUTH_FOR_DELEGATION
The last thing above is what I do not understand, i.e. Kerberos constrained delegation is set (and allows Kerberos only so no protocol transition), therefore why is the user AccountControl blank unless I am missing a control in the script
I have the following in the script
{ ($UACValue -bor 0x1000000) -eq $UACValue } {
$flags += "TRUSTED_TO_AUTH_FOR_DELEGATION"
$TRUSTED_TO_AUTH_FOR_DELEGATION_Count++
}
and
{ ($UACValue -bor 0x80000) -eq $UACValue } {
$flags += "TRUSTED_FOR_DELEGATION"
$TRUSTED_FOR_DELEGATION_Count++
}
Am I missing a UACValue ? if so which value please?
Thanks
Charlie
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 28.999999999999996%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVW%3C/text%3E%3C/svg%3E)
Hi,
Thank you for posting on us
According to your description, this problem is more suitable for scripting.
I recommend you go to the scripting forum for help
Link to script forum:https://social.technet.microsoft.com/Forums/Windows/en-US/home?forum=winserverpowershell
Hope this information can help you
Best wishes
Vicky
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 13%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDM%3C/text%3E%3C/svg%3E)
You may look for below attributes to understand the delegation type.
You have to code your script accordingly to check both the attributes and values.
Please mark the helpful reply as answer to close this thread.
Regards,
Deepak
Thanks very much, everyone for getting back to me on this