From a590bb9d6bf3d0c605dd06a52dd710325ce58138 Mon Sep 17 00:00:00 2001 From: Rich Siegel Date: Sat, 31 Aug 2024 12:27:51 -0400 Subject: [PATCH] ADManagedServiceAccount: add ServicePrincipalNames setting * This is a string array and specifies Service Principal Names for an AD Managed Service Account --- CHANGELOG.md | 2 ++ .../MSFT_ADManagedServiceAccount.psm1 | 17 +++++++++++++++++ .../MSFT_ADManagedServiceAccount.schema.mof | 1 + .../about_ADManagedServiceAccount.help.txt | 4 ++++ .../Unit/MSFT_ADManagedServiceAccount.Tests.ps1 | 13 +++++++++++++ 5 files changed, 37 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 88098811..7cf3b732 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,6 +11,8 @@ For older change log history see the [historic changelog](HISTORIC_CHANGELOG.md) - ADManagedServiceAccount - New parameter TrustedForDelegation for Kerberos Delegation ([issue #717](https://github.com/dsccommunity/ActiveDirectoryDsc/issues/717)). + - New parameter TrustedForDelegation for Service Principal Name + ([issue #717](https://github.com/dsccommunity/ActiveDirectoryDsc/issues/717)). - ADDomainController - New parameter UseExistingAccount for attaching a server to an existing RODC account. ([issue #711](https://github.com/dsccommunity/ActiveDirectoryDsc/issues/711)). diff --git a/source/DSCResources/MSFT_ADManagedServiceAccount/MSFT_ADManagedServiceAccount.psm1 b/source/DSCResources/MSFT_ADManagedServiceAccount/MSFT_ADManagedServiceAccount.psm1 index efed7872..4a5e5dc6 100644 --- a/source/DSCResources/MSFT_ADManagedServiceAccount/MSFT_ADManagedServiceAccount.psm1 +++ b/source/DSCResources/MSFT_ADManagedServiceAccount/MSFT_ADManagedServiceAccount.psm1 @@ -96,6 +96,7 @@ function Get-TargetResource 'Enabled' 'PrincipalsAllowedToRetrieveManagedPassword' 'KerberosEncryptionType' + 'ServicePrincipalNames' 'TrustedForDelegation' ) } @@ -159,6 +160,7 @@ function Get-TargetResource DistinguishedName = $adServiceAccount.DistinguishedName Enabled = $adServiceAccount.Enabled KerberosEncryptionType = $adServiceAccount.KerberosEncryptionType -split (', ') + ServicePrincipalNames = $adServiceAccount.ServicePrincipalNames -split (', ') TrustedForDelegation = $adServiceAccount.TrustedForDelegation ManagedPasswordPrincipals = $managedPasswordPrincipals MembershipAttribute = $MembershipAttribute @@ -178,6 +180,7 @@ function Get-TargetResource DistinguishedName = $null Enabled = $false KerberosEncryptionType = @() + ServicePrincipalNames = @() TrustedForDelegation = $null ManagedPasswordPrincipals = @() MembershipAttribute = $MembershipAttribute @@ -227,6 +230,9 @@ function Get-TargetResource This value sets the encryption types supported flags of the Active Directory msDS-SupportedEncryptionTypes attribute. + .PARAMETER ServicePrincipalNames + Specifies the service principal names for the user account. + .PARAMETER TrustedForDelegation Specifies whether an account is trusted for Kerberos delegation. Default value is $false. @@ -300,6 +306,10 @@ function Test-TargetResource [System.String[]] $KerberosEncryptionType, + [Parameter()] + [System.String[]] + $ServicePrincipalNames, + [Parameter()] [ValidateNotNull()] [System.Boolean] @@ -431,6 +441,9 @@ function Test-TargetResource This value sets the encryption types supported flags of the Active Directory msDS-SupportedEncryptionTypes attribute. + .PARAMETER ServicePrincipalNames + Specifies the service principal names for the user account. + .PARAMETER TrustedForDelegation Specifies whether an account is trusted for Kerberos delegation. Default value is $false. @@ -512,6 +525,10 @@ function Set-TargetResource [System.String[]] $KerberosEncryptionType, + [Parameter()] + [System.String[]] + $ServicePrincipalNames, + [Parameter()] [ValidateNotNull()] [System.Boolean] diff --git a/source/DSCResources/MSFT_ADManagedServiceAccount/MSFT_ADManagedServiceAccount.schema.mof b/source/DSCResources/MSFT_ADManagedServiceAccount/MSFT_ADManagedServiceAccount.schema.mof index 76625a35..11a5996c 100644 --- a/source/DSCResources/MSFT_ADManagedServiceAccount/MSFT_ADManagedServiceAccount.schema.mof +++ b/source/DSCResources/MSFT_ADManagedServiceAccount/MSFT_ADManagedServiceAccount.schema.mof @@ -10,6 +10,7 @@ class MSFT_ADManagedServiceAccount : OMI_BaseResource [Write, Description("Specifies the Active Directory Domain Controller instance to use to perform the task. This is only required if not executing the task on a domain controller.")] String DomainController; [Write, Description("Specifies whether the user account is created or deleted. If not specified, this value defaults to Present."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] String Ensure; [Write, Description("Specifies which Kerberos encryption types the account supports when creating service tickets. This value sets the encryption types supported flags of the Active Directory msDS-SupportedEncryptionTypes attribute."),ValueMap{"None","RC4","AES128","AES256"}, Values{"None","RC4","AES128","AES256"}] String KerberosEncryptionType[]; + [Write, Description("Specifies the service principal names for the user account.")] String ServicePrincipalNames[]; [Write, Description("Specifies whether an account is trusted for Kerberos delegation. Default value is $false.")] Boolean TrustedForDelegation; [Write, Description("Specifies the membership policy for systems which can use a group managed service account. (ldapDisplayName 'msDS-GroupMSAMembership'). Only used when 'Group' is selected for 'AccountType'.")] String ManagedPasswordPrincipals[]; [Write, Description("Active Directory attribute used to perform membership operations for Group Managed Service Accounts (gMSA). If not specified, this value defaults to SamAccountName."), ValueMap{"SamAccountName","DistinguishedName","ObjectGUID","ObjectSid"}, Values{"SamAccountName","DistinguishedName","ObjectGUID","ObjectSid"}] String MembershipAttribute; diff --git a/source/DSCResources/MSFT_ADManagedServiceAccount/en-US/about_ADManagedServiceAccount.help.txt b/source/DSCResources/MSFT_ADManagedServiceAccount/en-US/about_ADManagedServiceAccount.help.txt index f9474527..97ae3150 100644 --- a/source/DSCResources/MSFT_ADManagedServiceAccount/en-US/about_ADManagedServiceAccount.help.txt +++ b/source/DSCResources/MSFT_ADManagedServiceAccount/en-US/about_ADManagedServiceAccount.help.txt @@ -45,6 +45,10 @@ Allowed values: None, RC4, AES128, AES256 Specifies which Kerberos encryption types the account supports when creating service tickets. This value sets the encryption types supported flags of the Active Directory msDS-SupportedEncryptionTypes attribute. +.PARAMETER ServicePrincipalNames + Write - StringArray + Specifies the service principal names for the user account. + .PARAMETER TrustedForDelegation Write - Boolean Specifies whether an account is trusted for Kerberos delegation. Default value is $false. diff --git a/tests/Unit/MSFT_ADManagedServiceAccount.Tests.ps1 b/tests/Unit/MSFT_ADManagedServiceAccount.Tests.ps1 index b70497fa..3abb8d07 100644 --- a/tests/Unit/MSFT_ADManagedServiceAccount.Tests.ps1 +++ b/tests/Unit/MSFT_ADManagedServiceAccount.Tests.ps1 @@ -77,6 +77,7 @@ try DisplayName = 'TestSMSA' Enabled = $true KerberosEncryptionType = 'RC4', 'AES128', 'AES256' + ServicePrincipalNames = 'MSSQLSvc/Node1.contoso.com','HTTP/Node1','HTTP/Node1.contoso.com' TrustedForDelegation = $false ManagedPasswordPrincipals = @() MembershipAttribute = 'SamAccountName' @@ -94,6 +95,7 @@ try ManagedPasswordPrincipals = @() MembershipAttribute = $mockAdServiceAccountStandalone.MembershipAttribute KerberosEncryptionType = @() + ServicePrincipalNames = @() Ensure = 'Absent' } @@ -102,6 +104,7 @@ try Description = 'Changed description' DisplayName = 'Changed displayname' KerberosEncryptionType = 'AES128', 'AES256' + ServicePrincipalNames = 'MSSQLSvc/Node1.contoso.com','HTTP/Node1' ManagedPasswordPrincipals = $mockADUSer.SamAccountName } @@ -114,6 +117,7 @@ try DisplayName = 'TestGMSA' Enabled = $true KerberosEncryptionType = 'RC4', 'AES128', 'AES256' + ServicePrincipalNames = 'MSSQLSvc/Node1.contoso.com','HTTP/Node1','HTTP/Node1.contoso.com' TrustedForDelegation = $true ManagedPasswordPrincipals = $mockADUSer.SamAccountName, $mockADComputer.SamAccountName MembershipAttribute = 'SamAccountName' @@ -131,6 +135,7 @@ try ManagedPasswordPrincipals = @() MembershipAttribute = $mockAdServiceAccountGroup.MembershipAttribute KerberosEncryptionType = @() + ServicePrincipalNames = @() TrustedForDelegation = $null Ensure = 'Absent' } @@ -142,6 +147,7 @@ try DistinguishedName = $mockAdServiceAccountStandalone.DistinguishedName Enabled = $mockAdServiceAccountStandalone.Enabled KerberosEncryptionType = $mockAdServiceAccountStandalone.KerberosEncryptionType + ServicePrincipalNames = $mockAdServiceAccountStandalone.ServicePrincipalNames TrustedForDelegation = $mockAdServiceAccountStandalone.TrustedForDelegation Name = $mockAdServiceAccountStandalone.ServiceAccountName ObjectClass = 'msDS-ManagedServiceAccount' @@ -158,6 +164,7 @@ try DistinguishedName = $mockAdServiceAccountGroup.DistinguishedName Enabled = $mockAdServiceAccountGroup.Enabled KerberosEncryptionType = $mockAdServiceAccountGroup.KerberosEncryptionType + ServicePrincipalNames = $mockAdServiceAccountGroup.ServicePrincipalNames TrustedForDelegation = $mockAdServiceAccountGroup.TrustedForDelegation Name = $mockAdServiceAccountGroup.ServiceAccountName ObjectClass = 'msDS-GroupManagedServiceAccount' @@ -183,6 +190,7 @@ try Credential = $mockCredentials DomainController = $mockDomainController KerberosEncryptionType = 'RC4', 'AES128', 'AES256' + ServicePrincipalNames = 'MSSQLSvc/Node1.contoso.com','HTTP/Node1','HTTP/Node1.contoso.com' TrustedForDelegation = $false } @@ -202,6 +210,7 @@ try Credential = $mockCredentials DomainController = $mockDomainController KerberosEncryptionType = 'RC4', 'AES128', 'AES256' + ServicePrincipalNames = 'MSSQLSvc/Node1.contoso.com','HTTP/Node1','HTTP/Node1.contoso.com' TrustedForDelegation = $false } @@ -218,6 +227,7 @@ try ManagedPasswordPrincipals = @() MembershipAttribute = 'SamAccountName' KerberosEncryptionType = @() + ServicePrincipalNames = @() TrustedForDelegation = $null } @@ -434,6 +444,7 @@ try Description = $mockAdServiceAccountStandalone.Description DisplayName = $mockAdServiceAccountStandalone.DisplayName KerberosEncryptionType = $mockAdServiceAccountStandalone.KerberosEncryptionType + ServicePrincipalNames = $mockAdServiceAccountStandalone.ServicePrincipalNames ManagedPasswordPrincipals = $mockAdServiceAccountStandalone.ManagedPasswordPrincipals MembershipAttribute = $mockAdServiceAccountStandalone.MembershipAttribute Ensure = $mockAdServiceAccountStandalone.Ensure @@ -567,6 +578,7 @@ try Ensure = $mockAdServiceAccountStandAlone.Ensure DisplayName = $mockAdServiceAccountStandAlone.DisplayName KerberosEncryptionType = $mockAdServiceAccountStandAlone.KerberosEncryptionType + ServicePrincipalNames = $mockAdServiceAccountStandalone.ServicePrincipalNames } $setTargetResourceParametersStandAloneAbsent = $setTargetResourceParametersStandAlone.Clone() @@ -583,6 +595,7 @@ try ManagedPasswordPrincipals = $mockAdServiceAccountGroup.ManagedPasswordPrincipals DisplayName = $mockAdServiceAccountGroup.Name.DisplayName KerberosEncryptionType = $mockAdServiceAccountGroup.KerberosEncryptionType + ServicePrincipalNames = $mockAdServiceAccountGroup.ServicePrincipalNames } Context 'When the Resource should be Present' {