< Summary

Class:	SharpHoundCommonLib.Processors.LdapPropertyProcessor
Assembly:	SharpHoundCommonLib
File(s):	D:\a\SharpHoundCommon\SharpHoundCommon\src\CommonLib\Processors\LdapPropertyProcessor.cs
Covered lines:	390
Uncovered lines:	160
Coverable lines:	550
Total lines:	931
Line coverage:	70.9% (390 of 550)
Covered branches:	126
Total branches:	254
Branch coverage:	49.6% (126 of 254)

Metrics

Method	Branch coverage	Cyclomatic complexity	NPath complexity	Sequence coverage
.cctor()	100%	1	0	100%
.ctor(...)	100%	1	0	100%
GetCommonProps(...)	100%	4	0	100%
ReadDomainProperties()	35%	20	0	51.21%
FunctionalLevelToString(...)	90%	10	0	93.33%
ReadGPOProperties(...)	100%	1	0	100%
ReadOUProperties(...)	100%	1	0	100%
ReadGroupProperties(...)	100%	1	0	100%
ReadContainerProperties(...)	100%	1	0	0%
ReadUserProperties(...)	100%	1	0	0%
ReadUserProperties()	76.66%	30	0	91.86%
ReadComputerProperties(...)	100%	1	0	0%
ReadComputerProperties()	67.39%	46	0	90.36%
ReadRootCAProperties(...)	50%	2	0	41.66%
ReadAIACAProperties(...)	100%	2	0	100%
ReadEnterpriseCAProperties(...)	0%	4	0	0%
ReadNTAuthStoreProperties(...)	100%	1	0	100%
ReadCertTemplateProperties(...)	91.66%	12	0	100%
ReadIssuancePolicyProperties()	75%	8	0	100%
ParseAllProperties(...)	62.5%	24	0	76.92%
ParseCertTemplateApplicationPolicies(...)	50%	12	0	50%
BestGuessConvert(...)	66.66%	12	0	100%
ConvertEncryptionTypes(...)	7.14%	14	0	13.33%
ConvertNanoDuration(...)	0%	20	0	0%
ConvertPKIPeriod(...)	5.88%	34	0	15.38%

File(s)

D:\a\SharpHoundCommon\SharpHoundCommon\src\CommonLib\Processors\LdapPropertyProcessor.cs

	#	Line		Line coverage
		1		using System;
		2		using System.Collections.Generic;
		3		using System.Diagnostics.CodeAnalysis;
		4		using System.Linq;
		5		using System.Runtime.InteropServices;
		6		using System.Security.AccessControl;
		7		using System.Security.Cryptography.X509Certificates;
		8		using System.Security.Principal;
		9		using System.Threading.Tasks;
		10		using Microsoft.Extensions.Logging;
		11		using SharpHoundCommonLib.Enums;
		12		using SharpHoundCommonLib.LDAPQueries;
		13		using SharpHoundCommonLib.OutputTypes;
		14
		15		// ReSharper disable StringLiteralTypo
		16
		17		namespace SharpHoundCommonLib.Processors {
		18		public class LdapPropertyProcessor {
	1	19		private static readonly HashSet<string> ReservedAttributes = new();
		20
	1	21		static LdapPropertyProcessor() {
	1	22		ReservedAttributes.UnionWith(CommonProperties.TypeResolutionProps);
	1	23		ReservedAttributes.UnionWith(CommonProperties.BaseQueryProps);
	1	24		ReservedAttributes.UnionWith(CommonProperties.GroupResolutionProps);
	1	25		ReservedAttributes.UnionWith(CommonProperties.ComputerMethodProps);
	1	26		ReservedAttributes.UnionWith(CommonProperties.ACLProps);
	1	27		ReservedAttributes.UnionWith(CommonProperties.ObjectPropsProps);
	1	28		ReservedAttributes.UnionWith(CommonProperties.ContainerProps);
	1	29		ReservedAttributes.UnionWith(CommonProperties.SPNTargetProps);
	1	30		ReservedAttributes.UnionWith(CommonProperties.DomainTrustProps);
	1	31		ReservedAttributes.UnionWith(CommonProperties.GPOLocalGroupProps);
	1	32		ReservedAttributes.UnionWith(CommonProperties.CertAbuseProps);
	1	33		ReservedAttributes.Add(LDAPProperties.DSASignature);
	1	34		}
		35
		36		private readonly ILdapUtils _utils;
		37
	38	38		public LdapPropertyProcessor(ILdapUtils utils) {
	19	39		_utils = utils;
	19	40		}
		41
	20	42		private static Dictionary<string, object> GetCommonProps(IDirectoryObject entry) {
	20	43		var ret = new Dictionary<string, object>();
	33	44		if (entry.TryGetProperty(LDAPProperties.Description, out var description)) {
	13	45		ret["description"] = description;
	13	46		}
		47
	26	48		if (entry.TryGetProperty(LDAPProperties.WhenCreated, out var wc)) {
	6	49		ret["whencreated"] = Helpers.ConvertTimestampToUnixEpoch(wc);
	6	50		}
		51
	20	52		return ret;
	20	53		}
		54
		55		/// <summary>
		56		///     Reads specific LDAP properties related to Domains
		57		/// </summary>
		58		/// <param name="entry"></param>
		59		/// <returns></returns>
		60		public async Task<Dictionary<string, object>> ReadDomainProperties(IDirectoryObject entry, string domain)
	2	61		{
	2	62		var props = GetCommonProps(entry);
		63
		64
	2	65		props.Add("expirepasswordsonsmartcardonlyaccounts", entry.GetProperty(LDAPProperties.ExpirePasswordsOnSmartC
	2	66		props.Add("machineaccountquota", entry.GetProperty(LDAPProperties.MachineAccountQuota));
	2	67		props.Add("minpwdlength", entry.GetProperty(LDAPProperties.MinPwdLength));
	2	68		props.Add("pwdproperties", entry.GetProperty(LDAPProperties.PwdProperties));
	2	69		props.Add("pwdhistorylength", entry.GetProperty(LDAPProperties.PwdHistoryLength));
	2	70		props.Add("lockoutthreshold", entry.GetProperty(LDAPProperties.LockoutThreshold));
		71
	2	72		if (entry.TryGetLongProperty(LDAPProperties.MinPwdAge, out var minpwdage)) {
	0	73		var duration = ConvertNanoDuration(minpwdage);
	0	74		if (duration != null) {
	0	75		props.Add("minpwdage", duration);
	0	76		}
	0	77		}
	2	78		if (entry.TryGetLongProperty(LDAPProperties.MaxPwdAge, out var maxpwdage)) {
	0	79		var duration = ConvertNanoDuration(maxpwdage);
	0	80		if (duration != null) {
	0	81		props.Add("maxpwdage", duration);
	0	82		}
	0	83		}
	2	84		if (entry.TryGetLongProperty(LDAPProperties.LockoutDuration, out var lockoutduration)) {
	0	85		var duration = ConvertNanoDuration(lockoutduration);
	0	86		if (duration != null) {
	0	87		props.Add("lockoutduration", duration);
	0	88		}
	0	89		}
	2	90		if (entry.TryGetLongProperty(LDAPProperties.LockOutObservationWindow, out var lockoutobservationwindow)) {
	0	91		var duration = ConvertNanoDuration(lockoutobservationwindow);
	0	92		if (duration != null) {
	0	93		props.Add("lockoutobservationwindow", lockoutobservationwindow);
	0	94		}
	0	95		}
	3	96		if (!entry.TryGetLongProperty(LDAPProperties.DomainFunctionalLevel, out var functionalLevel)) {
	1	97		functionalLevel = -1;
	1	98		}
	2	99		props.Add("functionallevel", FunctionalLevelToString((int)functionalLevel));
		100
	2	101		var dn = entry.GetProperty(LDAPProperties.DistinguishedName);
	2	102		var dsh = await _utils.GetDSHueristics(domain, dn);
	2	103		props.Add("dsheuristics", dsh.DSHeuristics);
		104
	2	105		return props;
	2	106		}
		107
		108		/// <summary>
		109		///     Converts a numeric representation of a functional level to its appropriate functional level string
		110		/// </summary>
		111		/// <param name="level"></param>
		112		/// <returns></returns>
	11	113		public static string FunctionalLevelToString(int level) {
	11	114		var functionalLevel = level switch {
	1	115		0 => "2000 Mixed/Native",
	1	116		1 => "2003 Interim",
	1	117		2 => "2003",
	1	118		3 => "2008",
	1	119		4 => "2008 R2",
	1	120		5 => "2012",
	2	121		6 => "2012 R2",
	1	122		7 => "2016",
	0	123		8 => "2025",
	2	124		_ => "Unknown"
	11	125		};
		126
	11	127		return functionalLevel;
	11	128		}
		129
		130		/// <summary>
		131		///     Reads specific LDAP properties related to GPOs
		132		/// </summary>
		133		/// <param name="entry"></param>
		134		/// <returns></returns>
	1	135		public static Dictionary<string, object> ReadGPOProperties(IDirectoryObject entry) {
	1	136		var props = GetCommonProps(entry);
	1	137		entry.TryGetProperty(LDAPProperties.GPCFileSYSPath, out var path);
	1	138		props.Add("gpcpath", path.ToUpper());
	1	139		return props;
	1	140		}
		141
		142		/// <summary>
		143		///     Reads specific LDAP properties related to OUs
		144		/// </summary>
		145		/// <param name="entry"></param>
		146		/// <returns></returns>
	1	147		public static Dictionary<string, object> ReadOUProperties(IDirectoryObject entry) {
	1	148		var props = GetCommonProps(entry);
	1	149		return props;
	1	150		}
		151
		152		/// <summary>
		153		///     Reads specific LDAP properties related to Groups
		154		/// </summary>
		155		/// <param name="entry"></param>
		156		/// <returns></returns>
	3	157		public static Dictionary<string, object> ReadGroupProperties(IDirectoryObject entry) {
	3	158		var props = GetCommonProps(entry);
	3	159		entry.TryGetLongProperty(LDAPProperties.AdminCount, out var ac);
	3	160		props.Add("admincount", ac != 0);
	3	161		return props;
	3	162		}
		163
		164		/// <summary>
		165		///     Reads specific LDAP properties related to containers
		166		/// </summary>
		167		/// <param name="entry"></param>
		168		/// <returns></returns>
	0	169		public static Dictionary<string, object> ReadContainerProperties(IDirectoryObject entry) {
	0	170		var props = GetCommonProps(entry);
	0	171		return props;
	0	172		}
		173
		174		public Task<UserProperties>
	0	175		ReadUserProperties(IDirectoryObject entry, ResolvedSearchResult searchResult) {
	0	176		return ReadUserProperties(entry, searchResult.Domain);
	0	177		}
		178
		179		/// <summary>
		180		///     Reads specific LDAP properties related to Users
		181		/// </summary>
		182		/// <param name="entry"></param>
		183		/// <param name="domain"></param>
		184		/// <returns></returns>
	4	185		public async Task<UserProperties> ReadUserProperties(IDirectoryObject entry, string domain) {
	4	186		var userProps = new UserProperties();
	4	187		var props = GetCommonProps(entry);
		188
	4	189		var uacFlags = (UacFlags)0;
	7	190		if (entry.TryGetLongProperty(LDAPProperties.UserAccountControl, out var uac)) {
	3	191		uacFlags = (UacFlags)uac;
	3	192		}
		193
	4	194		props.Add("sensitive", uacFlags.HasFlag(UacFlags.NotDelegated));
	4	195		props.Add("dontreqpreauth", uacFlags.HasFlag(UacFlags.DontReqPreauth));
	4	196		props.Add("passwordnotreqd", uacFlags.HasFlag(UacFlags.PasswordNotRequired));
	4	197		props.Add("unconstraineddelegation", uacFlags.HasFlag(UacFlags.TrustedForDelegation));
	4	198		props.Add("pwdneverexpires", uacFlags.HasFlag(UacFlags.DontExpirePassword));
	4	199		props.Add("enabled", !uacFlags.HasFlag(UacFlags.AccountDisable));
	4	200		props.Add("trustedtoauth", uacFlags.HasFlag(UacFlags.TrustedToAuthForDelegation));
	4	201		props.Add("smartcardrequired", uacFlags.HasFlag(UacFlags.SmartcardRequired));
	4	202		props.Add("encryptedtextpwdallowed", uacFlags.HasFlag(UacFlags.EncryptedTextPwdAllowed));
	4	203		props.Add("usedeskeyonly", uacFlags.HasFlag(UacFlags.UseDesKeyOnly));
	4	204		props.Add("logonscriptenabled", uacFlags.HasFlag(UacFlags.Script));
	4	205		props.Add("lockedout", uacFlags.HasFlag(UacFlags.Lockout));
	4	206		props.Add("passwordcantchange", uacFlags.HasFlag(UacFlags.PasswordCantChange));
	4	207		props.Add("passwordexpired", uacFlags.HasFlag(UacFlags.PasswordExpired));
		208
	4	209		userProps.UnconstrainedDelegation = uacFlags.HasFlag(UacFlags.TrustedForDelegation);
		210
	4	211		var comps = new List<TypedPrincipal>();
	4	212		if (uacFlags.HasFlag(UacFlags.TrustedToAuthForDelegation) &&
	5	213		entry.TryGetArrayProperty(LDAPProperties.AllowedToDelegateTo, out var delegates)) {
	1	214		props.Add("allowedtodelegate", delegates);
		215
	9	216		foreach (var d in delegates) {
	2	217		if (d == null)
	0	218		continue;
		219
	2	220		var resolvedHost = await _utils.ResolveHostToSid(d, domain);
	2	221		if (resolvedHost.Success && resolvedHost.SecurityIdentifier.Contains("S-1"))
	2	222		comps.Add(new TypedPrincipal {
	2	223		ObjectIdentifier = resolvedHost.SecurityIdentifier,
	2	224		ObjectType = Label.Computer
	2	225		});
	2	226		}
	1	227		}
		228
	4	229		userProps.AllowedToDelegate = comps.Distinct().ToArray();
		230
	4	231		if (!entry.TryGetProperty(LDAPProperties.LastLogon, out var lastLogon)) {
	0	232		lastLogon = null;
	0	233		}
		234
	4	235		props.Add("lastlogon", Helpers.ConvertFileTimeToUnixEpoch(lastLogon));
		236
	4	237		if (!entry.TryGetProperty(LDAPProperties.LastLogonTimestamp, out var lastLogonTimeStamp)) {
	0	238		lastLogonTimeStamp = null;
	0	239		}
		240
	4	241		props.Add("lastlogontimestamp", Helpers.ConvertFileTimeToUnixEpoch(lastLogonTimeStamp));
		242
	4	243		if (!entry.TryGetProperty(LDAPProperties.PasswordLastSet, out var passwordLastSet)) {
	0	244		passwordLastSet = null;
	0	245		}
		246
	4	247		props.Add("pwdlastset",
	4	248		Helpers.ConvertFileTimeToUnixEpoch(passwordLastSet));
	4	249		entry.TryGetArrayProperty(LDAPProperties.ServicePrincipalNames, out var spn);
	4	250		props.Add("serviceprincipalnames", spn);
	4	251		props.Add("hasspn", spn.Length > 0);
	4	252		props.Add("displayname", entry.GetProperty(LDAPProperties.DisplayName));
	4	253		props.Add("email", entry.GetProperty(LDAPProperties.Email));
	4	254		props.Add("title", entry.GetProperty(LDAPProperties.Title));
	4	255		props.Add("homedirectory", entry.GetProperty(LDAPProperties.HomeDirectory));
	4	256		props.Add("userpassword", entry.GetProperty(LDAPProperties.UserPassword));
	4	257		props.Add("unixpassword", entry.GetProperty(LDAPProperties.UnixUserPassword));
	4	258		props.Add("unicodepassword", entry.GetProperty(LDAPProperties.UnicodePassword));
	4	259		props.Add("sfupassword", entry.GetProperty(LDAPProperties.MsSFU30Password));
	4	260		props.Add("logonscript", entry.GetProperty(LDAPProperties.ScriptPath));
	4	261		props.Add("useraccountcontrol", uac);
	4	262		props.Add("profilepath", entry.GetProperty(LDAPProperties.ProfilePath));
		263
	4	264		entry.TryGetLongProperty(LDAPProperties.AdminCount, out var ac);
	4	265		props.Add("admincount", ac != 0);
		266
	4	267		var encryptionTypes = ConvertEncryptionTypes(entry.GetProperty(LDAPProperties.SupportedEncryptionTypes));
	4	268		props.Add("supportedencryptiontypes", encryptionTypes);
		269
	4	270		entry.TryGetByteArrayProperty(LDAPProperties.SIDHistory, out var sh);
	4	271		var sidHistoryList = new List<string>();
	4	272		var sidHistoryPrincipals = new List<TypedPrincipal>();
	24	273		foreach (var sid in sh) {
		274		string sSid;
	4	275		try {
	4	276		sSid = new SecurityIdentifier(sid, 0).Value;
	5	277		} catch {
	1	278		continue;
		279		}
		280
	3	281		sidHistoryList.Add(sSid);
		282
	3	283		if (await _utils.ResolveIDAndType(sSid, domain) is (true, var res))
	3	284		sidHistoryPrincipals.Add(res);
	3	285		}
		286
	4	287		userProps.SidHistory = sidHistoryPrincipals.Distinct().ToArray();
		288
	4	289		props.Add("sidhistory", sidHistoryList.ToArray());
		290
	4	291		userProps.Props = props;
		292
	4	293		return userProps;
	4	294		}
		295
		296		public Task<ComputerProperties> ReadComputerProperties(IDirectoryObject entry,
	0	297		ResolvedSearchResult searchResult) {
	0	298		return ReadComputerProperties(entry, searchResult.Domain);
	0	299		}
		300
		301		/// <summary>
		302		///     Reads specific LDAP properties related to Computers
		303		/// </summary>
		304		/// <param name="entry"></param>
		305		/// <param name="domain"></param>
		306		/// <returns></returns>
	3	307		public async Task<ComputerProperties> ReadComputerProperties(IDirectoryObject entry, string domain) {
	3	308		var compProps = new ComputerProperties();
	3	309		var props = GetCommonProps(entry);
		310
	3	311		var flags = (UacFlags)0;
	5	312		if (entry.TryGetLongProperty(LDAPProperties.UserAccountControl, out var uac)) {
	2	313		flags = (UacFlags)uac;
	2	314		}
		315
	3	316		props.Add("enabled", !flags.HasFlag(UacFlags.AccountDisable));
	3	317		props.Add("unconstraineddelegation", flags.HasFlag(UacFlags.TrustedForDelegation));
	3	318		props.Add("trustedtoauth", flags.HasFlag(UacFlags.TrustedToAuthForDelegation));
	3	319		props.Add("isdc", flags.HasFlag(UacFlags.ServerTrustAccount));
	3	320		props.Add("encryptedtextpwdallowed", flags.HasFlag(UacFlags.EncryptedTextPwdAllowed));
	3	321		props.Add("usedeskeyonly", flags.HasFlag(UacFlags.UseDesKeyOnly));
	3	322		props.Add("logonscriptenabled", flags.HasFlag(UacFlags.Script));
	3	323		props.Add("lockedout", flags.HasFlag(UacFlags.Lockout));
	3	324		props.Add("passwordexpired", flags.HasFlag(UacFlags.PasswordExpired));
		325
	3	326		compProps.UnconstrainedDelegation = flags.HasFlag(UacFlags.TrustedForDelegation);
		327
	3	328		var encryptionTypes = ConvertEncryptionTypes(entry.GetProperty(LDAPProperties.SupportedEncryptionTypes));
	3	329		props.Add("supportedencryptiontypes", encryptionTypes);
		330
	3	331		var comps = new List<TypedPrincipal>();
	3	332		if (flags.HasFlag(UacFlags.TrustedToAuthForDelegation) &&
	5	333		entry.TryGetArrayProperty(LDAPProperties.AllowedToDelegateTo, out var delegates)) {
	2	334		props.Add("allowedtodelegate", delegates);
		335
	24	336		foreach (var d in delegates) {
	6	337		if (d == null)
	0	338		continue;
		339
	6	340		var resolvedHost = await _utils.ResolveHostToSid(d, domain);
	6	341		if (resolvedHost.Success && resolvedHost.SecurityIdentifier.Contains("S-1"))
	6	342		comps.Add(new TypedPrincipal {
	6	343		ObjectIdentifier = resolvedHost.SecurityIdentifier,
	6	344		ObjectType = Label.Computer
	6	345		});
	6	346		}
	2	347		}
		348
	3	349		compProps.AllowedToDelegate = comps.Distinct().ToArray();
		350
	3	351		var allowedToActPrincipals = new List<TypedPrincipal>();
	3	352		if (entry.TryGetByteProperty(LDAPProperties.AllowedToActOnBehalfOfOtherIdentity, out var rawAllowedToAct)) {
	0	353		var sd = _utils.MakeSecurityDescriptor();
	0	354		sd.SetSecurityDescriptorBinaryForm(rawAllowedToAct, AccessControlSections.Access);
	0	355		foreach (var rule in sd.GetAccessRules(true, true, typeof(SecurityIdentifier))) {
	0	356		if (await _utils.ResolveIDAndType(rule.IdentityReference(), domain) is (true, var res))
	0	357		allowedToActPrincipals.Add(res);
	0	358		}
	0	359		}
		360
	3	361		compProps.AllowedToAct = allowedToActPrincipals.ToArray();
		362
	3	363		props.Add("lastlogon", Helpers.ConvertFileTimeToUnixEpoch(entry.GetProperty(LDAPProperties.LastLogon)));
	3	364		props.Add("lastlogontimestamp",
	3	365		Helpers.ConvertFileTimeToUnixEpoch(entry.GetProperty(LDAPProperties.LastLogonTimestamp)));
	3	366		props.Add("pwdlastset",
	3	367		Helpers.ConvertFileTimeToUnixEpoch(entry.GetProperty(LDAPProperties.PasswordLastSet)));
	3	368		entry.TryGetArrayProperty(LDAPProperties.ServicePrincipalNames, out var spn);
	3	369		props.Add("serviceprincipalnames", spn);
	3	370		props.Add("email", entry.GetProperty(LDAPProperties.Email));
	3	371		props.Add("useraccountcontrol", uac);
	3	372		var os = entry.GetProperty(LDAPProperties.OperatingSystem);
	3	373		var sp = entry.GetProperty(LDAPProperties.ServicePack);
		374
	5	375		if (sp != null) os = $"{os} {sp}";
		376
	3	377		props.Add("operatingsystem", os);
		378
	3	379		entry.TryGetByteArrayProperty(LDAPProperties.SIDHistory, out var sh);
	3	380		var sidHistoryList = new List<string>();
	3	381		var sidHistoryPrincipals = new List<TypedPrincipal>();
	18	382		foreach (var sid in sh) {
		383		string sSid;
	3	384		try {
	3	385		sSid = new SecurityIdentifier(sid, 0).Value;
	4	386		} catch {
	1	387		continue;
		388		}
		389
	2	390		sidHistoryList.Add(sSid);
		391
	2	392		if (await _utils.ResolveIDAndType(sSid, domain) is (true, var res))
	2	393		sidHistoryPrincipals.Add(res);
	2	394		}
		395
	3	396		compProps.SidHistory = sidHistoryPrincipals.ToArray();
		397
	3	398		props.Add("sidhistory", sidHistoryList.ToArray());
		399
	3	400		var smsaPrincipals = new List<TypedPrincipal>();
	4	401		if (entry.TryGetArrayProperty(LDAPProperties.HostServiceAccount, out var hsa)) {
	9	402		foreach (var dn in hsa) {
	2	403		if (await _utils.ResolveDistinguishedName(dn) is (true, var resolvedPrincipal))
	2	404		smsaPrincipals.Add(resolvedPrincipal);
	2	405		}
	1	406		}
		407
	3	408		compProps.DumpSMSAPassword = smsaPrincipals.ToArray();
		409
	3	410		compProps.Props = props;
		411
	3	412		return compProps;
	3	413		}
		414
		415		/// <summary>
		416		/// Returns the properties associated with the RootCA
		417		/// </summary>
		418		/// <param name="entry"></param>
		419		/// <returns>Returns a dictionary with the common properties of the RootCA</returns>
	1	420		public static Dictionary<string, object> ReadRootCAProperties(IDirectoryObject entry) {
	1	421		var props = GetCommonProps(entry);
		422
		423		// Certificate
	1	424		if (entry.TryGetByteProperty(LDAPProperties.CACertificate, out var rawCertificate)) {
	0	425		var cert = new ParsedCertificate(rawCertificate);
	0	426		props.Add("certthumbprint", cert.Thumbprint);
	0	427		props.Add("certname", cert.Name);
	0	428		props.Add("certchain", cert.Chain);
	0	429		props.Add("hasbasicconstraints", cert.HasBasicConstraints);
	0	430		props.Add("basicconstraintpathlength", cert.BasicConstraintPathLength);
	0	431		}
		432
	1	433		return props;
	1	434		}
		435
		436		/// <summary>
		437		/// Returns the properties associated with the AIACA
		438		/// </summary>
		439		/// <param name="entry"></param>
		440		/// <returns>Returns a dictionary with the common properties and the crosscertificatepair property of the AICA</
	1	441		public static Dictionary<string, object> ReadAIACAProperties(IDirectoryObject entry) {
	1	442		var props = GetCommonProps(entry);
	1	443		entry.TryGetByteArrayProperty(LDAPProperties.CrossCertificatePair, out var crossCertificatePair);
	1	444		var hasCrossCertificatePair = crossCertificatePair.Length > 0;
		445
	1	446		props.Add("crosscertificatepair", crossCertificatePair);
	1	447		props.Add("hascrosscertificatepair", hasCrossCertificatePair);
		448
		449		// Certificate
	2	450		if (entry.TryGetByteProperty(LDAPProperties.CACertificate, out var rawCertificate)) {
	1	451		var cert = new ParsedCertificate(rawCertificate);
	1	452		props.Add("certthumbprint", cert.Thumbprint);
	1	453		props.Add("certname", cert.Name);
	1	454		props.Add("certchain", cert.Chain);
	1	455		props.Add("hasbasicconstraints", cert.HasBasicConstraints);
	1	456		props.Add("basicconstraintpathlength", cert.BasicConstraintPathLength);
	1	457		}
		458
	1	459		return props;
	1	460		}
		461
	0	462		public static Dictionary<string, object> ReadEnterpriseCAProperties(IDirectoryObject entry) {
	0	463		var props = GetCommonProps(entry);
	0	464		if (entry.TryGetLongProperty("flags", out var flags))
	0	465		props.Add("flags", (PKICertificateAuthorityFlags)flags);
	0	466		props.Add("caname", entry.GetProperty(LDAPProperties.Name));
	0	467		props.Add("dnshostname", entry.GetProperty(LDAPProperties.DNSHostName));
		468
		469		// Certificate
	0	470		if (entry.TryGetByteProperty(LDAPProperties.CACertificate, out var rawCertificate)) {
	0	471		var cert = new ParsedCertificate(rawCertificate);
	0	472		props.Add("certthumbprint", cert.Thumbprint);
	0	473		props.Add("certname", cert.Name);
	0	474		props.Add("certchain", cert.Chain);
	0	475		props.Add("hasbasicconstraints", cert.HasBasicConstraints);
	0	476		props.Add("basicconstraintpathlength", cert.BasicConstraintPathLength);
	0	477		}
		478
	0	479		return props;
	0	480		}
		481
		482		/// <summary>
		483		/// Returns the properties associated with the NTAuthStore. These properties will only contain common properties
		484		/// </summary>
		485		/// <param name="entry"></param>
		486		/// <returns>Returns a dictionary with the common properties of the NTAuthStore</returns>
	1	487		public static Dictionary<string, object> ReadNTAuthStoreProperties(IDirectoryObject entry) {
	1	488		var props = GetCommonProps(entry);
	1	489		return props;
	1	490		}
		491
		492		/// <summary>
		493		/// Reads specific LDAP properties related to CertTemplates
		494		/// </summary>
		495		/// <param name="entry"></param>
		496		/// <returns>Returns a dictionary associated with the CertTemplate properties that were read</returns>
	1	497		public static Dictionary<string, object> ReadCertTemplateProperties(IDirectoryObject entry) {
	1	498		var props = GetCommonProps(entry);
		499
	1	500		props.Add("validityperiod", ConvertPKIPeriod(entry.GetByteProperty(LDAPProperties.PKIExpirationPeriod)));
	1	501		props.Add("renewalperiod", ConvertPKIPeriod(entry.GetByteProperty(LDAPProperties.PKIOverlappedPeriod)));
		502
	1	503		if (entry.TryGetLongProperty(LDAPProperties.TemplateSchemaVersion, out var schemaVersion))
	1	504		props.Add("schemaversion", schemaVersion);
		505
	1	506		props.Add("displayname", entry.GetProperty(LDAPProperties.DisplayName));
	1	507		props.Add("oid", entry.GetProperty(LDAPProperties.CertTemplateOID));
		508
	2	509		if (entry.TryGetLongProperty(LDAPProperties.PKIEnrollmentFlag, out var enrollmentFlagsRaw)) {
	1	510		var enrollmentFlags = (PKIEnrollmentFlag)enrollmentFlagsRaw;
		511
	1	512		props.Add("enrollmentflag", enrollmentFlags);
	1	513		props.Add("requiresmanagerapproval", enrollmentFlags.HasFlag(PKIEnrollmentFlag.PEND_ALL_REQUESTS));
	1	514		props.Add("nosecurityextension", enrollmentFlags.HasFlag(PKIEnrollmentFlag.NO_SECURITY_EXTENSION));
	1	515		}
		516
	2	517		if (entry.TryGetLongProperty(LDAPProperties.PKINameFlag, out var nameFlagsRaw)) {
	1	518		var nameFlags = (PKICertificateNameFlag)nameFlagsRaw;
		519
	1	520		props.Add("certificatenameflag", nameFlags);
	1	521		props.Add("enrolleesuppliessubject",
	1	522		nameFlags.HasFlag(PKICertificateNameFlag.ENROLLEE_SUPPLIES_SUBJECT));
	1	523		props.Add("subjectaltrequireupn",
	1	524		nameFlags.HasFlag(PKICertificateNameFlag.SUBJECT_ALT_REQUIRE_UPN));
	1	525		props.Add("subjectaltrequiredns",
	1	526		nameFlags.HasFlag(PKICertificateNameFlag.SUBJECT_ALT_REQUIRE_DNS));
	1	527		props.Add("subjectaltrequiredomaindns",
	1	528		nameFlags.HasFlag(PKICertificateNameFlag.SUBJECT_ALT_REQUIRE_DOMAIN_DNS));
	1	529		props.Add("subjectaltrequireemail",
	1	530		nameFlags.HasFlag(PKICertificateNameFlag.SUBJECT_ALT_REQUIRE_EMAIL));
	1	531		props.Add("subjectaltrequirespn",
	1	532		nameFlags.HasFlag(PKICertificateNameFlag.SUBJECT_ALT_REQUIRE_SPN));
	1	533		props.Add("subjectrequireemail",
	1	534		nameFlags.HasFlag(PKICertificateNameFlag.SUBJECT_REQUIRE_EMAIL));
	1	535		}
		536
	1	537		entry.TryGetArrayProperty(LDAPProperties.ExtendedKeyUsage, out var ekus);
	1	538		props.Add("ekus", ekus);
	1	539		entry.TryGetArrayProperty(LDAPProperties.CertificateApplicationPolicy,
	1	540		out var certificateApplicationPolicy);
	1	541		props.Add("certificateapplicationpolicy", certificateApplicationPolicy);
		542
	1	543		entry.TryGetArrayProperty(LDAPProperties.CertificatePolicy, out var certificatePolicy);
	1	544		props.Add("certificatepolicy", certificatePolicy);
		545
	1	546		if (entry.TryGetLongProperty(LDAPProperties.NumSignaturesRequired, out var authorizedSignatures))
	1	547		props.Add("authorizedsignatures", authorizedSignatures);
		548
	1	549		var hasUseLegacyProvider = false;
	2	550		if (entry.TryGetLongProperty(LDAPProperties.PKIPrivateKeyFlag, out var privateKeyFlagsRaw)) {
	1	551		var privateKeyFlags = (PKIPrivateKeyFlag)privateKeyFlagsRaw;
	1	552		hasUseLegacyProvider = privateKeyFlags.HasFlag(PKIPrivateKeyFlag.USE_LEGACY_PROVIDER);
	1	553		}
		554
	1	555		entry.TryGetArrayProperty(LDAPProperties.ApplicationPolicies, out var appPolicies);
		556
	1	557		props.Add("applicationpolicies",
	1	558		ParseCertTemplateApplicationPolicies(appPolicies,
	1	559		(int)schemaVersion, hasUseLegacyProvider));
	1	560		entry.TryGetArrayProperty(LDAPProperties.IssuancePolicies, out var issuancePolicies);
	1	561		props.Add("issuancepolicies", issuancePolicies);
		562
		563		// Construct effectiveekus
	1	564		var effectiveekus = schemaVersion == 1 & ekus.Length > 0 ? ekus : certificateApplicationPolicy;
	1	565		props.Add("effectiveekus", effectiveekus);
		566
		567		// Construct authenticationenabled
	1	568		var authenticationEnabled =
	1	569		effectiveekus.Intersect(Helpers.AuthenticationOIDs).Any() | effectiveekus.Length == 0;
	1	570		props.Add("authenticationenabled", authenticationEnabled);
		571
		572		// Construct schannelauthenticationenabled
	1	573		var schannelAuthenticationEnabled =
	1	574		effectiveekus.Intersect(Helpers.SchannelAuthenticationOIDs).Any() | effectiveekus.Length == 0;
	1	575		props.Add("schannelauthenticationenabled", schannelAuthenticationEnabled);
		576
	1	577		return props;
	1	578		}
		579
	2	580		public async Task<IssuancePolicyProperties> ReadIssuancePolicyProperties(IDirectoryObject entry) {
	2	581		var ret = new IssuancePolicyProperties();
	2	582		var props = GetCommonProps(entry);
	2	583		props.Add("displayname", entry.GetProperty(LDAPProperties.DisplayName));
	2	584		props.Add("certtemplateoid", entry.GetProperty(LDAPProperties.CertTemplateOID));
		585
	3	586		if (entry.TryGetProperty(LDAPProperties.OIDGroupLink, out var link)) {
	2	587		if (await _utils.ResolveDistinguishedName(link) is (true, var linkedGroup)) {
	1	588		props.Add("oidgrouplink", linkedGroup.ObjectIdentifier);
	1	589		ret.GroupLink = linkedGroup;
	1	590		}
	1	591		}
		592
	2	593		ret.Props = props;
	2	594		return ret;
	2	595		}
		596
		597		/// <summary>
		598		///     Attempts to parse all LDAP attributes outside of the ones already collected and converts them to a human
		599		///     format using a best guess
		600		/// </summary>
		601		/// <param name="entry"></param>
	8	602		public Dictionary<string, object> ParseAllProperties(IDirectoryObject entry) {
	8	603		var props = new Dictionary<string, object>();
		604
	60	605		foreach (var property in entry.PropertyNames()) {
	12	606		if (ReservedAttributes.Contains(property, StringComparer.OrdinalIgnoreCase))
	4	607		continue;
		608
	8	609		var collCount = entry.PropertyCount(property);
	8	610		if (collCount == 0)
	0	611		continue;
		612
	14	613		if (collCount == 1) {
	6	614		var testString = entry.GetProperty(property);
	11	615		if (!string.IsNullOrEmpty(testString)) {
	5	616		if (property.Equals("badpasswordtime", StringComparison.OrdinalIgnoreCase))
	1	617		props.Add(property, Helpers.ConvertFileTimeToUnixEpoch(testString));
		618		else
	4	619		props.Add(property, BestGuessConvert(testString));
	5	620		}
	8	621		} else {
	4	622		if (entry.TryGetByteProperty(property, out var testBytes)) {
	2	623		if (testBytes == null || testBytes.Length == 0) {
	0	624		continue;
		625		}
		626
		627		// SIDs
	2	628		try {
	2	629		var sid = new SecurityIdentifier(testBytes, 0);
	1	630		props.Add(property, sid.Value);
	1	631		continue;
	2	632		} catch {
		633		/* Ignore */
	1	634		}
		635
		636		// GUIDs
	1	637		try {
	1	638		var guid = new Guid(testBytes);
	1	639		props.Add(property, guid.ToString());
	1	640		continue;
	0	641		} catch {
		642		/* Ignore */
	0	643		}
	0	644		}
		645
	0	646		if (entry.TryGetArrayProperty(property, out var arr) && arr.Length > 0) {
	0	647		props.Add(property, arr.Select(BestGuessConvert).ToArray());
	0	648		}
	0	649		}
	6	650		}
		651
	8	652		return props;
	8	653		}
		654
		655		/// <summary>
		656		///     Parse CertTemplate attribute msPKI-RA-Application-Policies
		657		/// </summary>
		658		/// <param name="applicationPolicies"></param>
		659		/// <param name="schemaVersion"></param>
		660		/// <param name="hasUseLegacyProvider"></param>
		661		private static string[] ParseCertTemplateApplicationPolicies(string[] applicationPolicies, int schemaVersion,
	1	662		bool hasUseLegacyProvider) {
	1	663		if (applicationPolicies == null
	1	664		|| applicationPolicies.Length == 0
	1	665		|| schemaVersion == 1
	1	666		|| schemaVersion == 2
	2	667		|| (schemaVersion == 4 && hasUseLegacyProvider)) {
	1	668		return applicationPolicies;
	0	669		} else {
		670		// Format: "Name`Type`Value`Name`Type`Value`..."
		671		// (https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-crtd/c55ec697-be3f-4117-8316-8895e4
		672		// Return the Value of Name = "msPKI-RA-Application-Policies" entries
	0	673		var entries = applicationPolicies[0].Split('`');
	0	674		return Enumerable.Range(0, entries.Length / 3)
	0	675		.Select(i => entries.Skip(i * 3).Take(3).ToArray())
	0	676		.Where(parts => parts.Length == 3 && parts[0].Equals(LDAPProperties.ApplicationPolicies,
	0	677		StringComparison.OrdinalIgnoreCase))
	0	678		.Select(parts => parts[2])
	0	679		.ToArray();
		680		}
	1	681		}
		682
		683		/// <summary>
		684		///     Does a best guess conversion of the property to a type useable by the UI
		685		/// </summary>
		686		/// <param name="value"></param>
		687		/// <returns></returns>
	4	688		private static object BestGuessConvert(string value) {
		689		//Parse boolean values
	4	690		if (bool.TryParse(value, out var boolResult)) return boolResult;
		691
		692		//A string ending with 0Z is likely a timestamp
	4	693		if (value.EndsWith("0Z")) return Helpers.ConvertTimestampToUnixEpoch(value);
		694
		695		//This string corresponds to the max int, and is usually set in accountexpires
	4	696		if (value == "9223372036854775807") return -1;
		697
		698		//Try parsing as an int
	4	699		if (int.TryParse(value, out var num)) return num;
		700
		701		// If we have binary unicode, encode it
	293	702		foreach (char c in value) {
	95	703		if (char.IsControl(c)) return System.Text.Encoding.UTF8.GetBytes(value);
	93	704		}
		705
		706		//Just return the property as a string
	3	707		return value;
	4	708		}
		709
		710		private static List<string> ConvertEncryptionTypes(string encryptionTypes)
	7	711		{
	14	712		if (encryptionTypes == null) {
	7	713		return null;
		714		}
		715
	0	716		int encryptionTypesInt = Int32.Parse(encryptionTypes);
	0	717		List<string> supportedEncryptionTypes = new List<string>();
	0	718		if (encryptionTypesInt == 0) {
	0	719		supportedEncryptionTypes.Add("Not defined");
	0	720		}
		721
	0	722		if ((encryptionTypesInt & KerberosEncryptionTypes.DES_CBC_CRC) == KerberosEncryptionTypes.DES_CBC_CRC)
	0	723		{
	0	724		supportedEncryptionTypes.Add("DES-CBC-CRC");
	0	725		}
	0	726		if ((encryptionTypesInt & KerberosEncryptionTypes.DES_CBC_MD5) == KerberosEncryptionTypes.DES_CBC_MD5)
	0	727		{
	0	728		supportedEncryptionTypes.Add("DES-CBC-MD5");
	0	729		}
	0	730		if ((encryptionTypesInt & KerberosEncryptionTypes.RC4_HMAC_MD5) == KerberosEncryptionTypes.RC4_HMAC_MD5)
	0	731		{
	0	732		supportedEncryptionTypes.Add("RC4-HMAC-MD5");
	0	733		}
	0	734		if ((encryptionTypesInt & KerberosEncryptionTypes.AES128_CTS_HMAC_SHA1_96) == KerberosEncryptionTypes.AES128
	0	735		{
	0	736		supportedEncryptionTypes.Add("AES128-CTS-HMAC-SHA1-96");
	0	737		}
	0	738		if ((encryptionTypesInt & KerberosEncryptionTypes.AES256_CTS_HMAC_SHA1_96) == KerberosEncryptionTypes.AES256
	0	739		{
	0	740		supportedEncryptionTypes.Add("AES256-CTS-HMAC-SHA1-96");
	0	741		}
		742
	0	743		return supportedEncryptionTypes;
	7	744		}
		745
		746		private static string ConvertNanoDuration(long duration)
	0	747		{
		748		// In case duration is long.MinValue, Math.Abs will overflow.  Value represents Forever or Never
	0	749		if (duration == long.MinValue) {
	0	750		return "Forever";
		751		// And if the value is positive, it indicates an error code
	0	752		} else if (duration > 0) {
	0	753		return null;
		754		}
		755
		756		// duration is in 100-nanosecond intervals
		757		// Convert it to TimeSpan (which uses 1 tick = 100 nanoseconds)
	0	758		TimeSpan durationSpan = TimeSpan.FromTicks(Math.Abs(duration));
		759
		760		// Create a list to hold non-zero time components
	0	761		List<string> timeComponents = new List<string>();
		762
		763		// Add each time component if it's greater than zero
	0	764		if (durationSpan.Days > 0)
	0	765		{
	0	766		timeComponents.Add($"{durationSpan.Days} {(durationSpan.Days == 1 ? "day" : "days")}");
	0	767		}
	0	768		if (durationSpan.Hours > 0)
	0	769		{
	0	770		timeComponents.Add($"{durationSpan.Hours} {(durationSpan.Hours == 1 ? "hour" : "hours")}");
	0	771		}
	0	772		if (durationSpan.Minutes > 0)
	0	773		{
	0	774		timeComponents.Add($"{durationSpan.Minutes} {(durationSpan.Minutes == 1 ? "minute" : "minutes")}");
	0	775		}
	0	776		if (durationSpan.Seconds > 0)
	0	777		{
	0	778		timeComponents.Add($"{durationSpan.Seconds} {(durationSpan.Seconds == 1 ? "second" : "seconds")}");
	0	779		}
		780
		781		// Join the non-zero components into a single readable string
	0	782		string readableDuration = string.Join(", ", timeComponents);
		783
	0	784		return readableDuration;
	0	785		}
		786
		787		/// <summary>
		788		///     Converts PKIExpirationPeriod/PKIOverlappedPeriod attributes to time approximate times
		789		/// </summary>
		790		/// <remarks>https://www.sysadmins.lv/blog-en/how-to-convert-pkiexirationperiod-and-pkioverlapperiod-active-dire
		791		/// <param name="bytes"></param>
		792		/// <returns>Returns a string representing the time period associated with the input byte array in a human reada
	2	793		private static string ConvertPKIPeriod(byte[] bytes) {
	2	794		if (bytes == null || bytes.Length == 0)
	2	795		return "Unknown";
		796
	0	797		try {
	0	798		Array.Reverse(bytes);
	0	799		var temp = BitConverter.ToString(bytes).Replace("-", "");
	0	800		var value = Convert.ToInt64(temp, 16) * -.0000001;
		801
	0	802		if (value % 31536000 == 0 && value / 31536000 >= 1) {
	0	803		if (value / 31536000 == 1) return "1 year";
		804
	0	805		return $"{value / 31536000} years";
		806		}
		807
	0	808		if (value % 2592000 == 0 && value / 2592000 >= 1) {
	0	809		if (value / 2592000 == 1) return "1 month";
		810
	0	811		return $"{value / 2592000} months";
		812		}
		813
	0	814		if (value % 604800 == 0 && value / 604800 >= 1) {
	0	815		if (value / 604800 == 1) return "1 week";
		816
	0	817		return $"{value / 604800} weeks";
		818		}
		819
	0	820		if (value % 86400 == 0 && value / 86400 >= 1) {
	0	821		if (value / 86400 == 1) return "1 day";
		822
	0	823		return $"{value / 86400} days";
		824		}
		825
	0	826		if (value % 3600 == 0 && value / 3600 >= 1) {
	0	827		if (value / 3600 == 1) return "1 hour";
		828
	0	829		return $"{value / 3600} hours";
		830		}
		831
	0	832		return "";
	0	833		} catch (Exception) {
	0	834		return "Unknown";
		835		}
	2	836		}
		837
		838		[DllImport("Advapi32", SetLastError = false)]
		839		private static extern bool IsTextUnicode(byte[] buf, int len, ref IsTextUnicodeFlags opt);
		840
		841		[Flags]
		842		[SuppressMessage("ReSharper", "UnusedMember.Local")]
		843		[SuppressMessage("ReSharper", "InconsistentNaming")]
		844		private enum IsTextUnicodeFlags {
		845		IS_TEXT_UNICODE_ASCII16 = 0x0001,
		846		IS_TEXT_UNICODE_REVERSE_ASCII16 = 0x0010,
		847
		848		IS_TEXT_UNICODE_STATISTICS = 0x0002,
		849		IS_TEXT_UNICODE_REVERSE_STATISTICS = 0x0020,
		850
		851		IS_TEXT_UNICODE_CONTROLS = 0x0004,
		852		IS_TEXT_UNICODE_REVERSE_CONTROLS = 0x0040,
		853
		854		IS_TEXT_UNICODE_SIGNATURE = 0x0008,
		855		IS_TEXT_UNICODE_REVERSE_SIGNATURE = 0x0080,
		856
		857		IS_TEXT_UNICODE_ILLEGAL_CHARS = 0x0100,
		858		IS_TEXT_UNICODE_ODD_LENGTH = 0x0200,
		859		IS_TEXT_UNICODE_DBCS_LEADBYTE = 0x0400,
		860		IS_TEXT_UNICODE_NULL_BYTES = 0x1000,
		861
		862		IS_TEXT_UNICODE_UNICODE_MASK = 0x000F,
		863		IS_TEXT_UNICODE_REVERSE_MASK = 0x00F0,
		864		IS_TEXT_UNICODE_NOT_UNICODE_MASK = 0x0F00,
		865		IS_TEXT_UNICODE_NOT_ASCII_MASK = 0xF000
		866		}
		867		}
		868
		869		public class ParsedCertificate {
		870		public string Thumbprint { get; set; }
		871		public string Name { get; set; }
		872		public string[] Chain { get; set; }
		873		public bool HasBasicConstraints { get; set; }
		874		public int BasicConstraintPathLength { get; set; }
		875
		876		public ParsedCertificate(byte[] rawCertificate) {
		877		var parsedCertificate = new X509Certificate2(rawCertificate);
		878		Thumbprint = parsedCertificate.Thumbprint;
		879		var name = parsedCertificate.FriendlyName;
		880		Name = string.IsNullOrEmpty(name) ? Thumbprint : name;
		881
		882		// Chain
		883		try {
		884		var chain = new X509Chain();
		885		chain.ChainPolicy.RevocationMode = X509RevocationMode.NoCheck;
		886		chain.Build(parsedCertificate);
		887		var temp = new List<string>();
		888		foreach (var cert in chain.ChainElements) temp.Add(cert.Certificate.Thumbprint);
		889		Chain = temp.ToArray();
		890		} catch (Exception e) {
		891		Logging.LogProvider.CreateLogger("ParsedCertificate").LogWarning(e, "Failed to read certificate chain fo
		892		Chain = Array.Empty<string>();
		893		}
		894
		895
		896		// Extensions
		897		var extensions = parsedCertificate.Extensions;
		898		foreach (var extension in extensions) {
		899		var certificateExtension = new CertificateExtension(extension);
		900		switch (certificateExtension.Oid.Value) {
		901		case CAExtensionTypes.BasicConstraints:
		902		var ext = (X509BasicConstraintsExtension)extension;
		903		HasBasicConstraints = ext.HasPathLengthConstraint;
		904		BasicConstraintPathLength = ext.PathLengthConstraint;
		905		break;
		906		}
		907		}
		908		}
		909		}
		910
		911		public class UserProperties {
		912		public Dictionary<string, object> Props { get; set; } = new();
		913		public TypedPrincipal[] AllowedToDelegate { get; set; } = Array.Empty<TypedPrincipal>();
		914		public TypedPrincipal[] SidHistory { get; set; } = Array.Empty<TypedPrincipal>();
		915		public bool UnconstrainedDelegation { get; set; }
		916		}
		917
		918		public class ComputerProperties {
		919		public Dictionary<string, object> Props { get; set; } = new();
		920		public TypedPrincipal[] AllowedToDelegate { get; set; } = Array.Empty<TypedPrincipal>();
		921		public TypedPrincipal[] AllowedToAct { get; set; } = Array.Empty<TypedPrincipal>();
		922		public TypedPrincipal[] SidHistory { get; set; } = Array.Empty<TypedPrincipal>();
		923		public TypedPrincipal[] DumpSMSAPassword { get; set; } = Array.Empty<TypedPrincipal>();
		924		public bool UnconstrainedDelegation { get; set; }
		925		}
		926
		927		public class IssuancePolicyProperties {
		928		public Dictionary<string, object> Props { get; set; } = new();
		929		public TypedPrincipal GroupLink { get; set; } = new TypedPrincipal();
		930		}
		931		}