/ Integration Zone
Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Manage ServicePrincipalName Properties Using PowerShell

DZone's Guide to

Manage ServicePrincipalName Properties Using PowerShell

Check out these awesome PowerShell tips on setting up service accounts in Active Directory.

by
Rob Sanders
·
Mar. 29, 16 · Integration Zone
Free Resource

Comment (0)

Save
Tweet
{{ articles[0].views | formatCount}} Views

Share, secure, distribute, control, and monetize your APIs with the platform built with performance, time-to-value, and growth in mind. Free 90-day trial of 3Scale by Red Hat

A few years ago [1] I wrote about how you could enable Domain Accounts to self-manage their ServicePrincipalNames.  This is particularly advantageous when using Kerberos to secure services.

We recently needed to set up some service accounts in Active Directory to participate in establishing a Kerberos capability for middleware integration. I began unpacking the ADSIEdit approach, but stopped.  Whilst you can reach your end goal using the “established” approaches, it’s an absolute pain to deploy these changes to other environments.  Surely there must be a better way?

Enter PowerShell. We can automate (by scripting) the ability to grant Active Directory accounts the ability to read and write ServicePrincipalName. Eureka!  Full credit goes to this excellent answer on StackOverflow [2].

Function Set-SpnPermission {
  param(
    [adsi]$TargetObject,
    [Security.Principal.IdentityReference]$Identity,
    [switch]$Write,
    [switch]$Read
  )
  if(!$write -and !$read){
    throw "Missing either -read or -write"
  }
  $rootDSE = [adsi]"LDAP://RootDSE"
  $schemaDN = $rootDSE.psbase.properties["schemaNamingContext"][0]
  $spnDN = "LDAP://CN=Service-Principal-Name,$schemaDN"
  $spnEntry = [adsi]$spnDN
  $guidArg=@("")
  $guidArg[0]=$spnEntry.psbase.Properties["schemaIDGUID"][0]
  $spnSecGuid = new-object GUID $guidArg
  if($read ){$adRight=[DirectoryServices.ActiveDirectoryRights]"ReadProperty" }
  if($write){$adRight=[DirectoryServices.ActiveDirectoryRights]"WriteProperty"}
  if($write -and $read){$adRight=[DirectoryServices.ActiveDirectoryRights]"readproperty,writeproperty"}
  $accessRuleArgs = $identity,$adRight,"Allow",$spnSecGuid,"None"
  $spnAce = new-object DirectoryServices.ActiveDirectoryAccessRule $accessRuleArgs
  $TargetObject.psbase.ObjectSecurity.AddAccessRule($spnAce)
  $TargetObject.psbase.CommitChanges()    
  return $spnAce
}

Now, you’d invoke this function this way:

$TargetObject = "LDAP://CN=svc_account,OU=Service Accounts,DC=Development,DC=sanderstechnology,DC=com"
$Identity = [security.principal.ntaccount]"DEVELOPMENT\svc_account" 
Set-SpnPermission -TargetObject $TargetObject -Identity $Identity -write -read

Voila!

[1] http://sanderstechnology.com/2010/some-handy-articles-on-configuring-kerberos-with-service-principal-names-spns/9987/
[2] http://stackoverflow.com/questions/4156743/powershell-how-do-you-set-the-read-write-service-principal-name-ad-permissions

Explore the core elements of owning an API strategy and best practices for effective API programs. Download the API Owner's Manual, brought to you by 3Scale by Red Hat

Like This Article? Read More From DZone

Configuring Tomcat 7 Single Sign-on with SPNEGO (Kerberos & LDAP)
PowerShell: Monitoring and Notifications
Lock Down Your Azure Resources

Free DZone Refcard

RESTful API Lifecycle Management
DOWNLOAD
Topics:
security ,powershell ,kerberos ,integartion ,performance

Comment (0)

Save
Tweet
{{ articles[0].views | formatCount}} Views

Published at DZone with permission of Rob Sanders, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Integration Partner Resources

O'Reilly Microservice Architecture Book: Aligning Principles, Practices and Culture
Modernizing Application Architectures with Microservices and APIs
The State of API Integration, 2017 and Beyond [Report]
Digital transformation (DX) is continuous way for enterprises to adapt to, or cause, disruptive change using digital competencies.
APIs provide a new avenue for businesses to collaborate with their partners, customers, and teams in new and powerful ways.
Discover how you can achieve enterprise agility with microservices and API management
API Strategy and Architecture eBook
The Finance Integration Guide: 5 Things Experts Consider in Their API Strategy [eBook]

Integration Partner Resources

O'Reilly Microservice Architecture Book: Aligning Principles, Practices and Culture
Modernizing Application Architectures with Microservices and APIs
The State of API Integration, 2017 and Beyond [Report]
Digital transformation (DX) is continuous way for enterprises to adapt to, or cause, disruptive change using digital competencies.
THE DZONE NEWSLETTER

Dev Resources & Solutions Straight to Your Inbox

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

X

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.linkDescription }}

{{ parent.urlSource.name }}
by {{ parent.authors[0].realName || parent.author}}
· {{ parent.articleDate | date:'MMM. dd, yyyy' }} {{ parent.linkDate | date:'MMM. dd, yyyy' }}
· {{ parent.portal.name }} Zone