DZone
Integration Zone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
  • Refcardz
  • Trend Reports
  • Webinars
  • Zones
  • |
    • Agile
    • AI
    • Big Data
    • Cloud
    • Database
    • DevOps
    • Integration
    • IoT
    • Java
    • Microservices
    • Open Source
    • Performance
    • Security
    • Web Dev
DZone > Integration Zone > Manage ServicePrincipalName Properties Using PowerShell

Manage ServicePrincipalName Properties Using PowerShell

Check out these awesome PowerShell tips on setting up service accounts in Active Directory.

Rob Sanders user avatar by
Rob Sanders
·
Mar. 29, 16 · Integration Zone · Analysis
Like (1)
Save
Tweet
6.45K Views

Join the DZone community and get the full member experience.

Join For Free

A few years ago [1] I wrote about how you could enable Domain Accounts to self-manage their ServicePrincipalNames.  This is particularly advantageous when using Kerberos to secure services.

We recently needed to set up some service accounts in Active Directory to participate in establishing a Kerberos capability for middleware integration. I began unpacking the ADSIEdit approach, but stopped.  Whilst you can reach your end goal using the “established” approaches, it’s an absolute pain to deploy these changes to other environments.  Surely there must be a better way?

Enter PowerShell. We can automate (by scripting) the ability to grant Active Directory accounts the ability to read and write ServicePrincipalName. Eureka!  Full credit goes to this excellent answer on StackOverflow [2].

Function Set-SpnPermission {
  param(
    [adsi]$TargetObject,
    [Security.Principal.IdentityReference]$Identity,
    [switch]$Write,
    [switch]$Read
  )
  if(!$write -and !$read){
    throw "Missing either -read or -write"
  }
  $rootDSE = [adsi]"LDAP://RootDSE"
  $schemaDN = $rootDSE.psbase.properties["schemaNamingContext"][0]
  $spnDN = "LDAP://CN=Service-Principal-Name,$schemaDN"
  $spnEntry = [adsi]$spnDN
  $guidArg=@("")
  $guidArg[0]=$spnEntry.psbase.Properties["schemaIDGUID"][0]
  $spnSecGuid = new-object GUID $guidArg
  if($read ){$adRight=[DirectoryServices.ActiveDirectoryRights]"ReadProperty" }
  if($write){$adRight=[DirectoryServices.ActiveDirectoryRights]"WriteProperty"}
  if($write -and $read){$adRight=[DirectoryServices.ActiveDirectoryRights]"readproperty,writeproperty"}
  $accessRuleArgs = $identity,$adRight,"Allow",$spnSecGuid,"None"
  $spnAce = new-object DirectoryServices.ActiveDirectoryAccessRule $accessRuleArgs
  $TargetObject.psbase.ObjectSecurity.AddAccessRule($spnAce)
  $TargetObject.psbase.CommitChanges()    
  return $spnAce
}

Now, you’d invoke this function this way:

$TargetObject = "LDAP://CN=svc_account,OU=Service Accounts,DC=Development,DC=sanderstechnology,DC=com"
$Identity = [security.principal.ntaccount]"DEVELOPMENT\svc_account" 
Set-SpnPermission -TargetObject $TargetObject -Identity $Identity -write -read

Voila!

[1] http://sanderstechnology.com/2010/some-handy-articles-on-configuring-kerberos-with-service-principal-names-spns/9987/
[2] http://stackoverflow.com/questions/4156743/powershell-how-do-you-set-the-read-write-service-principal-name-ad-permissions

PowerShell

Published at DZone with permission of Rob Sanders, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Implementing One and Two Way SSL (Mutual Authentication) for MuleSoft Application
  • Message-Oriented Middleware
  • Create a Self-Service Customer Support Chatbot Without Code
  • Creating a REST Web Service With Java and Spring (Part 2)

Comments

Integration Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • MVB Program
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends:

DZone.com is powered by 

AnswerHub logo