How do I query delegation properties of an active directory user account?
Posted
by Mark J Miller
on Stack Overflow
See other posts from Stack Overflow
or by Mark J Miller
Published on 2010-05-05T21:42:38Z
Indexed on
2010/05/05
21:48 UTC
Read the original article
Hit count: 205
active-directory
I am writing a utility to audit the configuration of a WCF service. In order to properly pass credentials from the client, thru the WCF service back to the SQL back end the domain account used to run the service must be configured in Active Directory with the setting "Trust this user for delegation" (Properties -> "Delegation" tab).
Using C#, how do I access the settings on this tab in Active Directory. I've spent the last 5 hours trying to track this down on the web and can't seem to find it.
Here's what I've done so far:
using (Domain domain = Domain.GetCurrentDomain())
{ Console.WriteLine(domain.Name);
// get domain "dev" from MSSQLSERVER service account
DirectoryEntry ouDn = new DirectoryEntry("LDAP://CN=Users,dc=dev,dc=mydomain,dc=lcl");
DirectorySearcher search = new DirectorySearcher(ouDn);
// get sAMAccountName "dev.services" from MSSQLSERVER service account
search.Filter = "(sAMAccountName=dev.services)";
search.PropertiesToLoad.Add("displayName");
search.PropertiesToLoad.Add("userAccountControl");
SearchResult result = search.FindOne();
if (result != null)
{
Console.WriteLine(result.Properties["displayName"][0]);
DirectoryEntry entry = result.GetDirectoryEntry();
int userAccountControlFlags = (int)entry.Properties["userAccountControl"].Value;
if ((userAccountControlFlags & (int)UserAccountControl.TRUSTED_FOR_DELEGATION) == (int)UserAccountControl.TRUSTED_FOR_DELEGATION)
Console.WriteLine("TRUSTED_FOR_DELEGATION");
else if ((userAccountControlFlags & (int)UserAccountControl.TRUSTED_TO_AUTH_FOR_DELEGATION) == (int)UserAccountControl.TRUSTED_TO_AUTH_FOR_DELEGATION)
Console.WriteLine("TRUSTED_TO_AUTH_FOR_DELEGATION");
else if ((userAccountControlFlags & (int)UserAccountControl.NOT_DELEGATED) == (int)UserAccountControl.NOT_DELEGATED)
Console.WriteLine("NOT_DELEGATED");
foreach (PropertyValueCollection pvc in entry.Properties)
{
Console.WriteLine(pvc.PropertyName);
for (int i = 0; i < pvc.Count; i++)
{
Console.WriteLine("\t{0}", pvc[i]);
}
}
}
}
The "userAccountControl" does not seem to be the correct property. I think it is tied to the "Account Options" section on the "Account" tab, which is not what we're looking for but this is the closest I've gotten so far.
The justification for all this is: We do not have permission to setup the service in QA or in Production, so along with our written instructions (which are notoriously only followed in partial) I am creating a tool that will audit the setup (WCF and SQL) to determine if the setup is correct. This will allow the person deploying the service to run this utility and verify everything is setup correctly - saving us hours of headaches and reducing downtime during deployment.
© Stack Overflow or respective owner
