pingcastle
pingcastle copied to clipboard
Question regarding TrustedToAuthenticateForDelegation
If I understand correctly, the ListTrustedToAuthenticateForDelegation (and NumberTrustedToAuthenticateForDelegation) is taken from HealthCheckAnalyser.cs#L772:
if ((x.UserAccountControl & 0x80000) != 0)
{
data.AddDetail("TrustedToAuthenticateForDelegation", GetAccountDetail(x));
}
In our report, we have :
<NumberTrustedToAuthenticateForDelegation>2</NumberTrustedToAuthenticateForDelegation>
<ListTrustedToAuthenticateForDelegation>
<HealthcheckAccountDetailData>
<DistinguishedName>CN=some-DC1,OU=Domain Controllers,DC=server,DC=local</DistinguishedName>
<Name>some-DC1$</Name>
<LastLogonDate>2024-03-17T05:00:44.0867538+01:00</LastLogonDate>
<CreationDate>2023-08-30T09:38:43</CreationDate>
<PwdLastSet>2024-03-01T13:56:33.2022324+01:00</PwdLastSet>
</HealthcheckAccountDetailData>
<HealthcheckAccountDetailData>
<DistinguishedName>CN=some-DC2,OU=Domain Controllers,DC=server,DC=local</DistinguishedName>
<Name>some-DC2$</Name>
<LastLogonDate>2024-03-18T05:13:44.8247168+01:00</LastLogonDate>
<CreationDate>2023-08-30T12:13:45</CreationDate>
<PwdLastSet>2024-02-29T13:30:38.2238633+01:00</PwdLastSet>
</HealthcheckAccountDetailData>
</ListTrustedToAuthenticateForDelegation>
But when I check with poweshell:
PS E:\> "TrustedForDelegation:",$somecomputer.TrustedForDelegation, ($somecomputer.UserAccountControl -band 0x80000)
TrustedForDelegation:
True
524288
PS E:\> "TrustedToAuthForDelegation:",$somecomputer.TrustedToAuthForDelegation, ($somecomputer.UserAccountControl -band 0x100000)
TrustedToAuthForDelegation:
False
0
In microsoft learn, it seems that 0x80000
is used for TRUSTED_FOR_DELEGATION
and TRUSTED_TO_AUTH_FOR_DELEGATION
should be 0x1000000
.
What did I miss?