search

ActiveDirectoryManagementFramework / ADMF

Module for managing configuration contexts for Active Directory
MIT License
27 stars 2 forks source link

gMSA: Update of servicePrincipalName removes SPN #59

Closed dbeugger closed 2 weeks ago

dbeugger commented 4 months ago 
PS>  Get-Module admf | ft Name, Version
Name Version
---- -------
ADMF 1.13.100

I create a gMSA with following psd1 code

@(
    @{
        Name = 'svc-AdmfTestSpn'
        Path = 'CN=Users,%DomainDN%'
        Description = 'Second service Account'
        DNSHostName = 'svc-AdmfTestSpn.%domainfqdn%'
        ComputerNameOptional = @(
            'ADMFADMINDC1$'
            'ADMFADMINDC2$'
        )
        ServicePrincipalName = @( 
            'HOST/svc_three.%domainfqdn%'
            'HTML/svc_three.%domainfqdn%'
        )
    }
)

Invoke-AdmfDomain creates the account with out any problem. 

PS> (Get-ADServiceAccount svc-AdmfTestSpn -Properties *).ServicePrincipalName
HTML/svc_three.test.local
HOST/svc_three.test.local

But when the value for ServicePrincipalName is updated from Invoke-AdmfDomain the attribute is then an empty string. I found now way with Invokde-AdmfDomain to fix the value for ServicePrincipalName. Here my Powershell steps

PS> # Show SPN
PS> (Get-ADServiceAccount svc-AdmfTestSpn -Properties *).ServicePrincipalName
HTML/svc_three.%domainfqdn%
HOST/svc_three.%domainfqdn%
PS> #
PS> # Changing 'HTML/svc_three.%domainfqdn%' one SPN by adding an x
PS> Set-ADServiceAccount svc-AdmfTestSpn -ServicePrincipalNames @{replace='HOST/svc_three.%domainfqdn%', 'HTML/svc_threex.%domainfqdn%'}
PS> (Get-ADServiceAccount svc-AdmfTestSpn -Properties *).ServicePrincipalName
HTML/svc_threex.%domainfqdn%
HOST/svc_three.%domainfqdn%

PS> # Use ADMF to correct it
PS> import-Module ADMF -Force
PS> Set-AdmfContext -Context Default
PS> Test-AdmfDomain -Options ServiceAccount -Server $env:USERDNSDOMAIN
[21:14:42][Resolve-DomainController] Resolved domain controller to use. Operating against WIN-UF9NFLCPUVR.test.local
[21:14:42][Test-AdmfDomain] Executing tests to verify ServiceAccounts against WIN-UF9NFLCPUVR.test.local
Server                     Type   ObjectType     Identity        Changed
------                     ----   ----------     --------        -------
WIN-UF9NFLCPUVR.test.local Update ServiceAccount svc-AdmfTestSpn {Update: HTML/svc_threex.%domainfqdn% HOST/svc_thre...

PS> Invoke-AdmfDomain -Options ServiceAccount -Server $env:USERDNSDOMAIN
[21:14:57][Resolve-DomainController] Resolved domain controller to use. Operating against WIN-UF9NFLCPUVR.test.local
[21:14:57][Invoke-AdmfDomain] Performing updates to ServiceAccounts against WIN-UF9NFLCPUVR.test.local

PS> # Show SPN
PS> (Get-ADServiceAccount svc-AdmfTestSpn -Properties *).ServicePrincipalName
PS> '' -eq (Get-ADServiceAccount svc-AdmfTestSpn -Properties *).ServicePrincipalName
True
PS> (Get-ADServiceAccount svc-AdmfTestSpn -Properties *).ServicePrincipalName.GetType()
IsPublic IsSerial Name                                     BaseType
-------- -------- ----                                     --------
True     False    ADPropertyValueCollection                System.Collections.CollectionBase
dbeugger commented 2 months ago

I would be very happy to receive any feedback.

FriedrichWeinmann commented 3 weeks ago

Thank you for your patience here and sorry for the wait :( Still puzzling on this one but I have to call it a night now, so I won't be able to make the promised timeline, sorry. Will resume today once I'm back from my customer engagement.

FriedrichWeinmann commented 2 weeks ago

Fix has been released in 1.8.205

dbeugger commented 2 weeks ago

Did some successful testing with the new version Many thanks

dbeugger commented 2 weeks ago

Closed