none
How can we verify from remote node(Not AD) that any computer has “Trust this computer to delegation for any service” enable or not? RRS feed

  • Question


  • On the Exchange DAG environment, we can enable "Trust this computer for delegation ..."  

    Before performing any operation I would like to verify that if this setting is enabled or not. From AD we can run  "Get-ADComputer" and it returns "TrustedForDelegation" property, which provides the setting <g class="gr_ gr_51 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar multiReplace" data-gr-id="51" id="51">is enable</g> or not. But in our case, we would like to verify from the Exchange DAG Node. 

    We have tried <g class="gr_ gr_46 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins replaceWithoutSep" data-gr-id="46" id="46">couple</g> of methods(mentioned below) to determine, but none of it worked.

    --------------------------------------------------------------------------------------------------------

    IPGlobalProperties ip_properties = IPGlobalProperties.GetIPGlobalProperties();

                string CurrentDomain = ip_properties.DomainName;

                using (PrincipalContext context = new PrincipalContext(ContextType.Domain, CurrentDomain))

                {

                    using (ComputerPrincipal computer = ComputerPrincipal.FindByIdentity(context, IdentityType.DistinguishedName, "CN=BU-EXCH13-D-M1,CN=Computers,DC=DAGEXCH13,DC=NET"))

                    {

                        return computer.DelegationPermitted; // This always returns true, even if the delegation is disable.

                    }

                }

    --------------------------------------------------------------------------------------------------------

    InitialSessionState initial = InitialSessionState.CreateDefault();

                Runspace runspace = RunspaceFactory.CreateRunspace(initial);

                runspace.Open();

                PowerShell m_ps = PowerShell.Create();

                m_ps.Runspace = runspace;

                Collection<PSObject> PSOutput = null;

                string strScript = "{Get-ADComputer -Identity \"" + computerName + "\" -Properties *}";

                string[] arrFields = { "TrustedForDelegation" };

                PSCommand command = new PSCommand();

                ScriptBlock sb = ScriptBlock.Create(strScript);           

     

                command.AddCommand("Invoke-Command");

                command.AddParameter("-ComputerName", "BU-EXCH13-D-DC.DAGEXCH13.NET");

                command.AddParameter("-ScriptBlock", sb);

               

     

                m_ps.Commands = command;

                try

                {

                    PSOutput = m_ps.Invoke();

                }

                catch (Exception e)

                {

                    System.Console.WriteLine(e.Message);

                }

     

                System.Console.WriteLine("DBG:::: After try catch");

                foreach (PSObject outputItem in PSOutput)

                {

                    if (outputItem != null)

                    {

                        System.Console.WriteLine(outputItem.Members["TrustedForDelegation"].Value.ToString());

                        System.Console.WriteLine(outputItem.BaseObject.ToString() + "\n");

                    }

                    else

                    {

                        System.Console.WriteLine("DBG:::: outputItem = null"); //Always print this line.

                    }

                }

    --------------------------------------------------------------------------------------------------------




    • Edited by Br0ek Monday, March 12, 2018 2:55 PM
    • Moved by Fei Hu Wednesday, March 21, 2018 9:29 AM Moved from C#
    Monday, March 12, 2018 2:51 PM

All replies

  • Hi,

    Thank you for posting here.

    According to the description, it seems that the Exchange DAG environment doesn't work. If you choose the do not trust this computer for delegation option, the computer.DelegationPermitted also returns true ?

    From MSDN document we know that the AuthenticablePrincipal.DelegationPermitted property means that it gets or sets a Nullable Boolean value that specifies whether the account may be delegated.

    If the account may be delegated, it returns true. Did you check whether the account is delegated?

    About the  Exchange DAG environment, I am not sure that you are using Database availability groups (DAGs) in Exchange 2016? 

    About exchange server issue, you can post the issue on here.

    Best Regards,

    Hart


    MSDN Community Support Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.


    • Edited by Hart Wang Tuesday, March 13, 2018 6:08 AM
    Tuesday, March 13, 2018 6:07 AM
  • Hello Wang,

    I am using Exchange 2013 DAG environment. I have also tried to change computer settings to "Do not trust this computer for delegation", still it returns true. Do you know any other way to verify this?

    Thanks

    Wednesday, March 14, 2018 2:04 PM
  • Hi Br0ek,
    Thank you for your feedback.
    About Exchange 2013 DAG environment issue, you can post the issue on Exchange Server 2013 - General Discussion

    Best Regards,
    Hart


    MSDN Community Support Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Thursday, March 15, 2018 8:32 AM
  • Thanks for notifying that. 

    Question has been posted to Exchange Server 2013 - General Discussion .

    https://social.technet.microsoft.com/Forums/office/en-US/d7113b77-70c7-46ba-a57d-eeae1f30e239/how-can-we-verify-from-exchange-2013-dag-nodenot-ad-that-any-computer-has-trust-this-computer-to?forum=exchangesvrgeneral 

    • Proposed as answer by Hart Wang Tuesday, March 20, 2018 3:52 AM
    Thursday, March 15, 2018 1:37 PM
  • Hi,

    Since your issue is not related to C# development issue.  I will move the case to off-topic forum. 

    Best Regards,

    Hart


    MSDN Community Support Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Wednesday, March 21, 2018 9:28 AM