Hi,
Thank you for posting on us
According to your description, this problem is more suitable for scripting.
I recommend you go to the scripting forum for help
Link to script forum:https://social.technet.microsoft.com/Forums/Windows/en-US/home?forum=winserverpowershell
Hope this information can help you
Best wishes
Vicky
A question about Delegation ( TRUSTED_FOR_DELEGATION & TRUSTED_TO_AUTH_FOR_DELEGATION ) and UserAccountControl
Hello
Can someone please let me with the following question
If I take an AD User Object e.g. UserA (who I set a dummy SPN on just so I can see the 'delegation' tab in ADUC GUI)
If I go to the Delegation tab of the user and set 'Trust this user for delegation to any service (Kerberos only)' aka unconstrained delegation (as far as I am aware, I believe it is also called S4U2Self)
Then when you check the UserAccountControl with a script (I have have tried several) the following it set to True
TRUSTED_FOR_DELEGATION
OK, makes sense so far
if I then set the following in the Delegation tab 'Trust this user for delegation to the specified service only' then I go the section below (which is now available and I have to completed) and set 'Use any authentication protocol' then chose an SPN for a give host on the network.
Then I check the UserAccountControl with a script I now get the following
TRUSTED_TO_AUTH_FOR_DELEGATION
Again the above makes sense (aka constrained delegation which I believe is also known as S4U2SelfProxy)
However this following I do not understand
If I go back to the delegation tab set the following 'Use any authentication protocol' then I go the section below and this time I choose 'Use Kerberos Only'
Then when I run the script, this time the UserAccountControl returns nothing for either TRUSTED_FOR_DELEGATION or TRUSTED_TO_AUTH_FOR_DELEGATION
The last thing above is what I do not understand, i.e. Kerberos constrained delegation is set (and allows Kerberos only so no protocol transition), therefore why is the user AccountControl blank unless I am missing a control in the script
I have the following in the script
{ ($UACValue -bor 0x1000000) -eq $UACValue } {
$flags += "TRUSTED_TO_AUTH_FOR_DELEGATION"
$TRUSTED_TO_AUTH_FOR_DELEGATION_Count++
}
and
{ ($UACValue -bor 0x80000) -eq $UACValue } {
$flags += "TRUSTED_FOR_DELEGATION"
$TRUSTED_FOR_DELEGATION_Count++
}
Am I missing a UACValue ? if so which value please?
Thanks
Charlie
4 answers
Sort by: Most helpful
-
Vicky Wang 2,731 Reputation points
2020-12-30T09:14:53.667+00:00 -
Deepak M 1 Reputation point
2021-01-05T15:25:43.673+00:00 You may look for below attributes to understand the delegation type.
- Full or Unconstrained delegation
Only userAccountControl attribute - Constrained delegation
a) Constrained delegation Kerberos Only (S4U2Proxy)
Only msDS-AllowedToDelegateTo attribute.
b) Constrained Delegation with Protocol Transition (S4U2Self)
Both msDS-AllowedToDelegateTo and userAccountControl attributes
You have to code your script accordingly to check both the attributes and values.
- Full or Unconstrained delegation
-
Deepak M 1 Reputation point
2021-01-08T10:44:32.623+00:00 Please mark the helpful reply as answer to close this thread.
Regards,
Deepak -
Charlie Melga 126 Reputation points
2021-01-20T10:25:49.12+00:00 Thanks very much, everyone for getting back to me on this