我们如何从远程节点（非AD）验证任何计算机是否具有“信任此计算机以进行任何服务的委派”启用与否？ [英] How can we verify from remote node(Not AD) that any computer has “Trust this computer to delegation for any service” enable or not?

问题描述

在Exchange DAG环境中，我们可以启用"信任此计算机"代表团......"
 

< span style ="color：＃1F497D">在执行任何操作之前，我想验证是否启用了此设置。从AD我们可以运行  "获取-ADComputer"并返回" TrustedForDelegation "
属性，提供设置< g class =" gr_ gr_51 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar multiReplace"数据-GR-ID =" 51" id =" 51">启用< / g>或不。但在我们的情况下，我们希望从
验证Exchange DAG节点。 

我们有尝试< g class =" gr_ gr_46 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins replaceWithoutSep"数据-GR-ID =" 46" ID = QUOT; 46">耦合< / g取代;方法（如下所述）确定，
，但没有一个工作。

------------------------ -------------------------------------------------- ------------------------------

IPGlobalProperties ip_properties = IPGlobalProperties.GetIPGlobalProperties（）;

      ;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;串CurrentDomain = ip_properties.DomainName;

<跨度风格= "颜色：＃1F497D">&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP ;&NBSP;&NBSP;&NBSP;使用（PrincipalContext上下文=新PrincipalContext（ContextType.Domain，CurrentDomain））

<跨度风格= "颜色：＃1F497D">&NBSP; &NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP; {

<跨度风格= "颜色：＃1F497D">&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP ;&NBSP;&NBSP;&NBSP;使用（ComputerPrincipal计算机= ComputerPrincipal.FindByIdentity（上下文，IdentityType.DistinguishedName，" CN = BU-EXCH13-d-M1，CN =计算机，DC = DAGEXCH13，DC = NET"））

'p>的&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP; {

<跨度风格= "颜色：＃1F497D">&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP ;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;返回
computer.DelegationPermitted ; //即使授权被禁用，也始终返回true。

      &NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP; }

            }

----------------------- -------------------------------------------------- -------------------------------

InitialSessionState初始= InitialSessionState.CreateDefault（）;

<跨度风格= "颜色：＃1F497D">&NBSP;&NBSP;&NBSP;&NBSP; &NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;运行空间运行空间= RunspaceFactory.CreateRunspace（初始）;

<跨度风格= "颜色：＃1F497D">&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP; &NBSP;&NBSP;&NBSP;&NBSP; runspace.Open（）;

<跨度风格= "颜色：＃1F497D">&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP; &NBSP;&NBSP; PowerShell m_ps = PowerShell.Create（）;

         ;&NBSP;&NBSP;&NBSP; m_ps.Runspace = runspace;

          &NBSP;&NBSP;收集和LT; PSObject> PSOutput = NULL;

<跨度风格= "颜色：＃1F497D">&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP; &NBSP; string strScript =" {Get-ADComputer -Identity \"" + computerName +" \" -Properties *}" ;;

          ;&NBSP;&NBSP; string [] arrFields = {" TrustedForDelegation" };

            PSCommand命令=新PSCommand（）;

         &NBSP;&NBSP;&NBSP; ScriptBlock sb = ScriptBlock.Create（strScript）;           

 

&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP; command.AddCommand（" Invoke-Command"）;

       &NBSP;&NBSP;&NBSP;&NBSP;&NBSP; command.AddParameter（QUOT; -ComputerName"，" BU-EXCH13-D-DC.DAGEXCH13.NET"）;

<跨度风格="颜色：＃1F497D ">&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP; command.AddParameter（QUOT; -ScriptBlock" ;, SB）;

<跨度风格= "颜色：＃1F497D">&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP ;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;

 

&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP; m_ps.Commands = command;

          &NBSP;&NBSP;尝试

            {

<跨度风格= "颜色：＃1F497D">&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP ;&NBSP;&NBSP;&NBSP; PSOutput = m_ps.Invoke（）;

<跨度风格= "颜色：＃1F497D">&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP; &NBSP;&NBSP;&NBSP; }

            catch（例外e）

           ;&NBSP; {

<跨度风格= "颜色：＃1F497D">&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP ;&NBSP;&NBSP;&NBSP; System.Console.WriteLine（e.Message）;

        ;&NBSP;&NBSP;&NBSP;&NBSP; }

 

&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP; System.Console.WriteLine（" DBG :::: After try catch"）;

     ;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;的foreach（PSObject outputItem在PSOutput）

<跨度风格= "颜色：＃1F497D">&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP ;&NBSP;&NBSP; {

<跨度风格= "颜色：＃1F497D">&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP ;&NBSP;&NBSP;&NBSP; if（outputItem！= null）

          ;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP; {

<跨度风格= "颜色：＃1F497D">&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP ;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;的System.Console.WriteLine（outputItem.Members [" TrustedForDelegation"] Value.ToString（））;

<跨度风格= "颜色：＃1F497D">&NBSP ;&NBSP;&NBSP;&NBSP; &NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;的System.Console.WriteLine（outputItem.BaseObject.ToString（）+ QUOT; \\\
" ）;

            &NBSP;&NBSP;&NBSP;&NBSP; }

<跨度风格= "颜色：＃1F497D">&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP ;&NBSP;&NBSP;&NBSP;
else

  ;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP; {

           ;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP; System.Console.WriteLine（" DBG :::: outputItem = null"）; //始终打印此行。

b

         &NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;}

<跨度风格= "颜色：＃1F497D">&NBSP;&NBSP;&NBSP;&NBSP ;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP;&NBSP; }

----------------------- -------------------------------------------------- -------------------------------

解决方案

感谢您发帖这里。

根据描述，似乎Exchange DAG环境不起作用。如果您选择不信任此计算机进行委派选项，则computer.DelegationPermitted也会返回true？

从MSDN文档我们知道
AuthenticablePrincipal.DelegationPermitted 属性意味着，它获取或设置一个可为空布尔值，指定该帐户是否可委托。

如果可以委派帐户，则返回true。您是否检查了帐户是否被委派了？

关于  Exchange DAG环境，我不确定您是否在Exchange 2016中使用数据库可用性组（DAG）？ 

关于Exchange服务器问题，您可以在
这里。

最诚挚的问候，

Hart

On the Exchange DAG environment, we can enable "Trust this computer for delegation ..."  

Before performing any operation I would like to verify that if this setting is enabled or not. From AD we can run  "Get-ADComputer" and it returns "TrustedForDelegation" property, which provides the setting <g class="gr_ gr_51 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar multiReplace" data-gr-id="51" id="51">is enable</g> or not. But in our case, we would like to verify from the Exchange DAG Node. 

We have tried <g class="gr_ gr_46 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar only-ins replaceWithoutSep" data-gr-id="46" id="46">couple</g> of methods(mentioned below) to determine, but none of it worked.

--------------------------------------------------------------------------------------------------------

IPGlobalProperties ip_properties = IPGlobalProperties.GetIPGlobalProperties();

            string CurrentDomain = ip_properties.DomainName;

            using (PrincipalContext context = new PrincipalContext(ContextType.Domain, CurrentDomain))

            {

                using (ComputerPrincipal computer = ComputerPrincipal.FindByIdentity(context, IdentityType.DistinguishedName, "CN=BU-EXCH13-D-M1,CN=Computers,DC=DAGEXCH13,DC=NET"))

                {

                    return computer.DelegationPermitted; // This always returns true, even if the delegation is disable.

                }

            }

--------------------------------------------------------------------------------------------------------

InitialSessionState initial = InitialSessionState.CreateDefault();

            Runspace runspace = RunspaceFactory.CreateRunspace(initial);

            runspace.Open();

            PowerShell m_ps = PowerShell.Create();

            m_ps.Runspace = runspace;

            Collection<PSObject> PSOutput = null;

            string strScript = "{Get-ADComputer -Identity \"" + computerName + "\" -Properties *}";

            string[] arrFields = { "TrustedForDelegation" };

            PSCommand command = new PSCommand();

            ScriptBlock sb = ScriptBlock.Create(strScript);           

 

            command.AddCommand("Invoke-Command");

            command.AddParameter("-ComputerName", "BU-EXCH13-D-DC.DAGEXCH13.NET");

            command.AddParameter("-ScriptBlock", sb);

           

 

            m_ps.Commands = command;

            try

            {

                PSOutput = m_ps.Invoke();

            }

            catch (Exception e)

            {

                System.Console.WriteLine(e.Message);

            }

 

            System.Console.WriteLine("DBG:::: After try catch");

            foreach (PSObject outputItem in PSOutput)

            {

                if (outputItem != null)

                {

                    System.Console.WriteLine(outputItem.Members["TrustedForDelegation"].Value.ToString());

                    System.Console.WriteLine(outputItem.BaseObject.ToString() + "\n");

                }

                else

                {

                    System.Console.WriteLine("DBG:::: outputItem = null"); //Always print this line.

                }

            }

--------------------------------------------------------------------------------------------------------

解决方案

Hi,

Thank you for posting here.

According to the description, it seems that the Exchange DAG environment doesn't work. If you choose the do not trust this computer for delegation option, the computer.DelegationPermitted also returns true ?

From MSDN document we know that the AuthenticablePrincipal.DelegationPermitted property means that it gets or sets a Nullable Boolean value that specifies whether the account may be delegated.

If the account may be delegated, it returns true. Did you check whether the account is delegated?

About the  Exchange DAG environment, I am not sure that you are using Database availability groups (DAGs) in Exchange 2016? 

About exchange server issue, you can post the issue on here.

Best Regards,

Hart

这篇关于我们如何从远程节点（非AD）验证任何计算机是否具有“信任此计算机以进行任何服务的委派”启用与否？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！