Manage ServicePrincipalName Properties Using PowerShell
Manage ServicePrincipalName Properties Using PowerShell
Check out these awesome PowerShell tips on setting up service accounts in Active Directory.
Join the DZone community and get the full member experience.
Join For FreeWSO2 is the only open source vendor to be named a leader in The Forrester Wave™: API Management Solutions, Q4 2018 Report. Download the report now or try out our product for free.
A few years ago [1] I wrote about how you could enable Domain Accounts to self-manage their ServicePrincipalNames. This is particularly advantageous when using Kerberos to secure services.
We recently needed to set up some service accounts in Active Directory to participate in establishing a Kerberos capability for middleware integration. I began unpacking the ADSIEdit approach, but stopped. Whilst you can reach your end goal using the “established” approaches, it’s an absolute pain to deploy these changes to other environments. Surely there must be a better way?
Enter PowerShell. We can automate (by scripting) the ability to grant Active Directory accounts the ability to read and write ServicePrincipalName. Eureka! Full credit goes to this excellent answer on StackOverflow [2].
Function Set-SpnPermission {
param(
[adsi]$TargetObject,
[Security.Principal.IdentityReference]$Identity,
[switch]$Write,
[switch]$Read
)
if(!$write -and !$read){
throw "Missing either -read or -write"
}
$rootDSE = [adsi]"LDAP://RootDSE"
$schemaDN = $rootDSE.psbase.properties["schemaNamingContext"][0]
$spnDN = "LDAP://CN=Service-Principal-Name,$schemaDN"
$spnEntry = [adsi]$spnDN
$guidArg=@("")
$guidArg[0]=$spnEntry.psbase.Properties["schemaIDGUID"][0]
$spnSecGuid = new-object GUID $guidArg
if($read ){$adRight=[DirectoryServices.ActiveDirectoryRights]"ReadProperty" }
if($write){$adRight=[DirectoryServices.ActiveDirectoryRights]"WriteProperty"}
if($write -and $read){$adRight=[DirectoryServices.ActiveDirectoryRights]"readproperty,writeproperty"}
$accessRuleArgs = $identity,$adRight,"Allow",$spnSecGuid,"None"
$spnAce = new-object DirectoryServices.ActiveDirectoryAccessRule $accessRuleArgs
$TargetObject.psbase.ObjectSecurity.AddAccessRule($spnAce)
$TargetObject.psbase.CommitChanges()
return $spnAce
}Now, you’d invoke this function this way:
$TargetObject = "LDAP://CN=svc_account,OU=Service Accounts,DC=Development,DC=sanderstechnology,DC=com"
$Identity = [security.principal.ntaccount]"DEVELOPMENT\svc_account"
Set-SpnPermission -TargetObject $TargetObject -Identity $Identity -write -readVoila!
[1] http://sanderstechnology.com/2010/some-handy-articles-on-configuring-kerberos-with-service-principal-names-spns/9987/
[2] http://stackoverflow.com/questions/4156743/powershell-how-do-you-set-the-read-write-service-principal-name-ad-permissions
Read the WSO2 Methodology for Agility to see how you can transform your integration projects from semi-agile to a scalable continuous agile approach.
Like This Article? Read More From DZone
Published at DZone with permission of Rob Sanders , DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.
{{ parent.title || parent.header.title}}
{{ parent.tldr }}
{{ parent.linkDescription }}
{{ parent.urlSource.name }}