Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ADManagedServiceAccount: add ServicePrincipalNames setting #719

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@ For older change log history see the [historic changelog](HISTORIC_CHANGELOG.md)
- ADManagedServiceAccount
- New parameter TrustedForDelegation for Kerberos Delegation
([issue #717](https://github.com/dsccommunity/ActiveDirectoryDsc/issues/717)).
- New parameter TrustedForDelegation for Service Principal Name
([issue #717](https://github.com/dsccommunity/ActiveDirectoryDsc/issues/717)).
- ADDomainController
- New parameter UseExistingAccount for attaching a server to an existing RODC account.
([issue #711](https://github.com/dsccommunity/ActiveDirectoryDsc/issues/711)).
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,7 @@ function Get-TargetResource
'Enabled'
'PrincipalsAllowedToRetrieveManagedPassword'
'KerberosEncryptionType'
'ServicePrincipalNames'
'TrustedForDelegation'
)
}
Expand Down Expand Up @@ -159,6 +160,7 @@ function Get-TargetResource
DistinguishedName = $adServiceAccount.DistinguishedName
Enabled = $adServiceAccount.Enabled
KerberosEncryptionType = $adServiceAccount.KerberosEncryptionType -split (', ')
ServicePrincipalNames = $adServiceAccount.ServicePrincipalNames
TrustedForDelegation = $adServiceAccount.TrustedForDelegation
ManagedPasswordPrincipals = $managedPasswordPrincipals
MembershipAttribute = $MembershipAttribute
Expand All @@ -178,6 +180,7 @@ function Get-TargetResource
DistinguishedName = $null
Enabled = $false
KerberosEncryptionType = @()
ServicePrincipalNames = $null
TrustedForDelegation = $null
ManagedPasswordPrincipals = @()
MembershipAttribute = $MembershipAttribute
Expand Down Expand Up @@ -227,6 +230,9 @@ function Get-TargetResource
This value sets the encryption types supported flags of the Active Directory msDS-SupportedEncryptionTypes
attribute.

.PARAMETER ServicePrincipalNames
Specifies the service principal names for the user account.

.PARAMETER TrustedForDelegation
Specifies whether an account is trusted for Kerberos delegation. Default value is $false.

Expand Down Expand Up @@ -300,6 +306,11 @@ function Test-TargetResource
[System.String[]]
$KerberosEncryptionType,

[Parameter()]
[ValidateNotNullOrEmpty()]
[System.String[]]
$ServicePrincipalNames,

[Parameter()]
[ValidateNotNull()]
[System.Boolean]
Expand Down Expand Up @@ -431,6 +442,9 @@ function Test-TargetResource
This value sets the encryption types supported flags of the Active Directory msDS-SupportedEncryptionTypes
attribute.

.PARAMETER ServicePrincipalNames
Specifies the service principal names for the user account.

.PARAMETER TrustedForDelegation
Specifies whether an account is trusted for Kerberos delegation. Default value is $false.

Expand Down Expand Up @@ -512,6 +526,11 @@ function Set-TargetResource
[System.String[]]
$KerberosEncryptionType,

[Parameter()]
[ValidateNotNullOrEmpty()]
[System.String[]]
$ServicePrincipalNames,

[Parameter()]
[ValidateNotNull()]
[System.Boolean]
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ class MSFT_ADManagedServiceAccount : OMI_BaseResource
[Write, Description("Specifies the Active Directory Domain Controller instance to use to perform the task. This is only required if not executing the task on a domain controller.")] String DomainController;
[Write, Description("Specifies whether the user account is created or deleted. If not specified, this value defaults to Present."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] String Ensure;
[Write, Description("Specifies which Kerberos encryption types the account supports when creating service tickets. This value sets the encryption types supported flags of the Active Directory msDS-SupportedEncryptionTypes attribute."),ValueMap{"None","RC4","AES128","AES256"}, Values{"None","RC4","AES128","AES256"}] String KerberosEncryptionType[];
[Write, Description("Specifies the service principal names for the user account.")] String ServicePrincipalNames[];
[Write, Description("Specifies whether an account is trusted for Kerberos delegation. Default value is $false.")] Boolean TrustedForDelegation;
[Write, Description("Specifies the membership policy for systems which can use a group managed service account. (ldapDisplayName 'msDS-GroupMSAMembership'). Only used when 'Group' is selected for 'AccountType'.")] String ManagedPasswordPrincipals[];
[Write, Description("Active Directory attribute used to perform membership operations for Group Managed Service Accounts (gMSA). If not specified, this value defaults to SamAccountName."), ValueMap{"SamAccountName","DistinguishedName","ObjectGUID","ObjectSid"}, Values{"SamAccountName","DistinguishedName","ObjectGUID","ObjectSid"}] String MembershipAttribute;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,10 @@
Allowed values: None, RC4, AES128, AES256
Specifies which Kerberos encryption types the account supports when creating service tickets. This value sets the encryption types supported flags of the Active Directory msDS-SupportedEncryptionTypes attribute.

.PARAMETER ServicePrincipalNames
Write - StringArray
Specifies the service principal names for the user account.

.PARAMETER TrustedForDelegation
Write - Boolean
Specifies whether an account is trusted for Kerberos delegation. Default value is $false.
Expand Down
13 changes: 13 additions & 0 deletions tests/Unit/MSFT_ADManagedServiceAccount.Tests.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,7 @@ try
DisplayName = 'TestSMSA'
Enabled = $true
KerberosEncryptionType = 'RC4', 'AES128', 'AES256'
ServicePrincipalNames = 'MSSQLSvc/Node1.contoso.com','HTTP/Node1','HTTP/Node1.contoso.com'
TrustedForDelegation = $false
ManagedPasswordPrincipals = @()
MembershipAttribute = 'SamAccountName'
Expand All @@ -94,6 +95,7 @@ try
ManagedPasswordPrincipals = @()
MembershipAttribute = $mockAdServiceAccountStandalone.MembershipAttribute
KerberosEncryptionType = @()
ServicePrincipalNames = $null
Ensure = 'Absent'
}

Expand All @@ -102,6 +104,7 @@ try
Description = 'Changed description'
DisplayName = 'Changed displayname'
KerberosEncryptionType = 'AES128', 'AES256'
ServicePrincipalNames = 'MSSQLSvc/Node1.contoso.com','HTTP/Node1'
ManagedPasswordPrincipals = $mockADUSer.SamAccountName
}

Expand All @@ -114,6 +117,7 @@ try
DisplayName = 'TestGMSA'
Enabled = $true
KerberosEncryptionType = 'RC4', 'AES128', 'AES256'
ServicePrincipalNames = 'MSSQLSvc/Node1.contoso.com','HTTP/Node1','HTTP/Node1.contoso.com'
TrustedForDelegation = $true
ManagedPasswordPrincipals = $mockADUSer.SamAccountName, $mockADComputer.SamAccountName
MembershipAttribute = 'SamAccountName'
Expand All @@ -131,6 +135,7 @@ try
ManagedPasswordPrincipals = @()
MembershipAttribute = $mockAdServiceAccountGroup.MembershipAttribute
KerberosEncryptionType = @()
ServicePrincipalNames = $null
TrustedForDelegation = $null
Ensure = 'Absent'
}
Expand All @@ -142,6 +147,7 @@ try
DistinguishedName = $mockAdServiceAccountStandalone.DistinguishedName
Enabled = $mockAdServiceAccountStandalone.Enabled
KerberosEncryptionType = $mockAdServiceAccountStandalone.KerberosEncryptionType
ServicePrincipalNames = $mockAdServiceAccountStandalone.ServicePrincipalNames
TrustedForDelegation = $mockAdServiceAccountStandalone.TrustedForDelegation
Name = $mockAdServiceAccountStandalone.ServiceAccountName
ObjectClass = 'msDS-ManagedServiceAccount'
Expand All @@ -158,6 +164,7 @@ try
DistinguishedName = $mockAdServiceAccountGroup.DistinguishedName
Enabled = $mockAdServiceAccountGroup.Enabled
KerberosEncryptionType = $mockAdServiceAccountGroup.KerberosEncryptionType
ServicePrincipalNames = $mockAdServiceAccountGroup.ServicePrincipalNames
TrustedForDelegation = $mockAdServiceAccountGroup.TrustedForDelegation
Name = $mockAdServiceAccountGroup.ServiceAccountName
ObjectClass = 'msDS-GroupManagedServiceAccount'
Expand All @@ -183,6 +190,7 @@ try
Credential = $mockCredentials
DomainController = $mockDomainController
KerberosEncryptionType = 'RC4', 'AES128', 'AES256'
ServicePrincipalNames = 'MSSQLSvc/Node1.contoso.com','HTTP/Node1','HTTP/Node1.contoso.com'
TrustedForDelegation = $false

}
Expand All @@ -202,6 +210,7 @@ try
Credential = $mockCredentials
DomainController = $mockDomainController
KerberosEncryptionType = 'RC4', 'AES128', 'AES256'
ServicePrincipalNames = 'MSSQLSvc/Node1.contoso.com','HTTP/Node1','HTTP/Node1.contoso.com'
TrustedForDelegation = $false
}

Expand All @@ -218,6 +227,7 @@ try
ManagedPasswordPrincipals = @()
MembershipAttribute = 'SamAccountName'
KerberosEncryptionType = @()
ServicePrincipalNames = $null
TrustedForDelegation = $null
}

Expand Down Expand Up @@ -434,6 +444,7 @@ try
Description = $mockAdServiceAccountStandalone.Description
DisplayName = $mockAdServiceAccountStandalone.DisplayName
KerberosEncryptionType = $mockAdServiceAccountStandalone.KerberosEncryptionType
ServicePrincipalNames = $mockAdServiceAccountStandalone.ServicePrincipalNames
ManagedPasswordPrincipals = $mockAdServiceAccountStandalone.ManagedPasswordPrincipals
MembershipAttribute = $mockAdServiceAccountStandalone.MembershipAttribute
Ensure = $mockAdServiceAccountStandalone.Ensure
Expand Down Expand Up @@ -567,6 +578,7 @@ try
Ensure = $mockAdServiceAccountStandAlone.Ensure
DisplayName = $mockAdServiceAccountStandAlone.DisplayName
KerberosEncryptionType = $mockAdServiceAccountStandAlone.KerberosEncryptionType
ServicePrincipalNames = $mockAdServiceAccountStandalone.ServicePrincipalNames
}

$setTargetResourceParametersStandAloneAbsent = $setTargetResourceParametersStandAlone.Clone()
Expand All @@ -583,6 +595,7 @@ try
ManagedPasswordPrincipals = $mockAdServiceAccountGroup.ManagedPasswordPrincipals
DisplayName = $mockAdServiceAccountGroup.Name.DisplayName
KerberosEncryptionType = $mockAdServiceAccountGroup.KerberosEncryptionType
ServicePrincipalNames = $mockAdServiceAccountGroup.ServicePrincipalNames
}
Context 'When the Resource should be Present' {

Expand Down
Loading