Over a million developers have joined DZone.

Manage ServicePrincipalName Properties Using PowerShell

Check out these awesome PowerShell tips on setting up service accounts in Active Directory.

· Integration Zone

Is iPaaS solving the right problems? Not knowing the fundamental difference between iPaaS and dPaaS could cost you down the road. Brought to you in partnership with Liaison Technologies.

A few years ago [1] I wrote about how you could enable Domain Accounts to self-manage their ServicePrincipalNames.  This is particularly advantageous when using Kerberos to secure services.

We recently needed to set up some service accounts in Active Directory to participate in establishing a Kerberos capability for middleware integration. I began unpacking the ADSIEdit approach, but stopped.  Whilst you can reach your end goal using the “established” approaches, it’s an absolute pain to deploy these changes to other environments.  Surely there must be a better way?

Enter PowerShell. We can automate (by scripting) the ability to grant Active Directory accounts the ability to read and write ServicePrincipalName. Eureka!  Full credit goes to this excellent answer on StackOverflow [2].

Function Set-SpnPermission {
  param(
    [adsi]$TargetObject,
    [Security.Principal.IdentityReference]$Identity,
    [switch]$Write,
    [switch]$Read
  )
  if(!$write -and !$read){
    throw "Missing either -read or -write"
  }
  $rootDSE = [adsi]"LDAP://RootDSE"
  $schemaDN = $rootDSE.psbase.properties["schemaNamingContext"][0]
  $spnDN = "LDAP://CN=Service-Principal-Name,$schemaDN"
  $spnEntry = [adsi]$spnDN
  $guidArg=@("")
  $guidArg[0]=$spnEntry.psbase.Properties["schemaIDGUID"][0]
  $spnSecGuid = new-object GUID $guidArg
  if($read ){$adRight=[DirectoryServices.ActiveDirectoryRights]"ReadProperty" }
  if($write){$adRight=[DirectoryServices.ActiveDirectoryRights]"WriteProperty"}
  if($write -and $read){$adRight=[DirectoryServices.ActiveDirectoryRights]"readproperty,writeproperty"}
  $accessRuleArgs = $identity,$adRight,"Allow",$spnSecGuid,"None"
  $spnAce = new-object DirectoryServices.ActiveDirectoryAccessRule $accessRuleArgs
  $TargetObject.psbase.ObjectSecurity.AddAccessRule($spnAce)
  $TargetObject.psbase.CommitChanges()    
  return $spnAce
}

Now, you’d invoke this function this way:

$TargetObject = "LDAP://CN=svc_account,OU=Service Accounts,DC=Development,DC=sanderstechnology,DC=com"
$Identity = [security.principal.ntaccount]"DEVELOPMENT\svc_account" 
Set-SpnPermission -TargetObject $TargetObject -Identity $Identity -write -read

Voila!

[1] http://sanderstechnology.com/2010/some-handy-articles-on-configuring-kerberos-with-service-principal-names-spns/9987/
[2] http://stackoverflow.com/questions/4156743/powershell-how-do-you-set-the-read-write-service-principal-name-ad-permissions

Discover the unprecedented possibilities and challenges, created by today’s fast paced data climate and why your current integration solution is not enough, brought to you in partnership with Liaison Technologies.

Topics:
security ,powershell ,kerberos ,integartion ,performance

Published at DZone with permission of Rob Sanders, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

The best of DZone straight to your inbox.

SEE AN EXAMPLE
Please provide a valid email address.

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.
Subscribe

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}