search

dsccommunity / ActiveDirectoryDsc

This module contains DSC resources for deployment and configuration of Active Directory Domain Services.
MIT License
344 stars 142 forks source link

ADServicePrincipalName: Add Credential parameter #646

Closed ixniz closed 3 years ago

ixniz commented 3 years ago

Details of the scenario you tried and the problem that is occurring

Using the ADServicePrincipalName resource on a member server result in "Insufficient access rights to perform the operation".

Verbose logs showing the problem

VERBOSE: [ADFS01]: LCM:  [ Start  Resource ]  [[ADServicePrincipalName]SVC_ADFS]
VERBOSE: [ADFS01]: LCM:  [ Start  Test     ]  [[ADServicePrincipalName]SVC_ADFS]
VERBOSE: [ADFS01]:                            [[ADServicePrincipalName]SVC_ADFS] Getting service principal name 'HOST/fs.testlab.local'. (ADSPN0001)
VERBOSE: [ADFS01]:                            [[ADServicePrincipalName]SVC_ADFS] Service principal name 'HOST/fs.testlab.local' is absent. (ADSPN0002)
VERBOSE: [ADFS01]:                            [[ADServicePrincipalName]SVC_ADFS] Service principal name 'HOST/fs.testlab.local' is not in the desired state. (ADSPN0008)
VERBOSE: [ADFS01]: LCM:  [ End    Test     ]  [[ADServicePrincipalName]SVC_ADFS]  in 0.0310 seconds.
VERBOSE: [ADFS01]: LCM:  [ Start  Set      ]  [[ADServicePrincipalName]SVC_ADFS]
VERBOSE: [ADFS01]:                            [[ADServicePrincipalName]SVC_ADFS] Adding service principal name 'HOST/fs.testlab.local' to account 'SVC_ADFS$. (ADSPN0006)
Insufficient access rights to perform the operation
    + CategoryInfo          : NotSpecified: (CN=SVC_ADFS,CN=M...estlab,DC=local:) [], CimException
    + FullyQualifiedErrorId : ActiveDirectoryServer:8344,Microsoft.ActiveDirectory.Management.Commands.SetADObject
    + PSComputerName        : ADFS01

VERBOSE: [ADFS01]: LCM:  [ End    Set      ]  [[ADServicePrincipalName]SVC_ADFS]  in 0.2980 seconds.
The PowerShell DSC resource '[ADServicePrincipalName]SVC_ADFS' with SourceInfo 'C:\Install\New-TLAdfsFarm.ps1::54::9::AD
ServicePrincipalName' threw one or more non-terminating errors while running the Set-TargetResource functionality. Thes
e errors are logged to the ETW channel called Microsoft-Windows-DSC/Operational. Refer to this channel for more details
.
    + CategoryInfo          : InvalidOperation: (:) [], CimException
    + FullyQualifiedErrorId : NonTerminatingErrorFromProvider
    + PSComputerName        : ADFS01

Suggested solution to the issue

Add a Credential parameter, which would allow us to specify the Credentials when running on a server that is not a Domain Controller.

The DSC configuration that is used to reproduce the issue (as detailed as possible)

        ADManagedServiceAccount 'SVC_ADFS'
        {
            DependsOn                     = '[WindowsFeature]RSAT-AD-PowerShell'
            Ensure                        = 'Present'
            ServiceAccountName            = 'SVC_ADFS'
            AccountType                   = 'Group'
            ManagedPasswordPrincipals     = "$($env:COMPUTERNAME)`$"
            DomainController              = (Get-ADDomainController -Discover).HostName
            Credential                    = $DomainAdminCredential
        }

        ADServicePrincipalName 'SVC_ADFS'
        {
            DependsOn                     = '[ADManagedServiceAccount]SVC_ADFS'
            ServicePrincipalName          = "HOST/$($Node.FederationServiceName)"
            Account                       = $Node.GroupServiceAccountIdentifier
        }

The operating system the target node is running

OsName               : Microsoft Windows Server 2016 Datacenter Evaluation
OsOperatingSystemSKU : 80
OsArchitecture       : 64-bit
WindowsBuildLabEx    : 14393.693.amd64fre.rs1_release.161220-1747
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

Version and build of PowerShell the target node is running

Name                           Value
----                           -----
PSVersion                      5.1.14393.693
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.14393.693
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Version of the DSC module that was used

ModuleType Version    Name
---------- -------    ----
Manifest   6.1.0      ActiveDirectoryDsc
X-Guardian commented 3 years ago

Hi @ixniz, as long as the device that you are executing the DSC on is domain connected and is running PowerShell 5 or above, you can use the automatic PsDscRunAsCredential property to specify your desired domain credentials for each resource. See Use Credentials with DSC Resource for further info.

ixniz commented 3 years ago

Thanks, it worked like a charm! I had completely forgotten about that.

johlju commented 3 years ago

Closing this at this time.