We can check and configure the Kerberos Delegation for an account using ADSI Edit tool although this way is more difficult than dsa.msc tool that we viewed on our last post.
To open ADSI Edit tool, select Start, Run, type adsiedit.msc and click OK. Now search an account using the Query option and then right click on it and select Properties. As you can see the Properties of ADSI Edit tool are very different from other ones as DSA tool. You can see a tab name Attribute Editor where a list of attributes with different values is showed.
On ADSI Edit console the way to view the user account properties is reading the value assigned to userAccountControl property. The value assigned to this property depends on the “flags” assigned to this account. Each flag has a value and userAccountControl shows the sum total of all of these values.
The typical flags and their values are representing on the following table:
You can find a description of each flag on the following links:
http://msdn.microsoft.com/en-us/library/ms680832(VS.85).aspx
An application ID account on Accenture has the following flags enabled by default:
- NORMAL_ACCOUNT
- PASSWD_NOTREQD
- ENCRYPTED_TEXT_PWD_ALLOWED
- DONT_EXPIRE_PASSWORD
So the value of its userAccountControl property is:
512 + 32 + 128 + 65536 = 66208
When you enable the Trusted to Authenticate for Delegation option on an application ID account you are enabling the TRUSTED_TO_AUTH_FOR_DELEGATION flag, so the value of userAccountControl would be:
66208 + 16777216 = 16843424
No hay comentarios:
Publicar un comentario