Skip to main content

Powershell 3.0 - Kerberos and SPN


Just a quick post about Powershell and SPN. I have "used" powershell for several years now. I mean used as in having created some very, very small scripts and cmdlets starting back in 2007 when Microsoft launched their powershell cmdlets for Exchange 2007. Any way, the last months I have been playing heavily with Powershell and have learned the beauty of it quite recently. 

I am kind of excited about the new Powershell 3.0 released with Win8 and Microsoft Server 2012. If you have not tried it, I recommend you download it and give it a go. The new built-in editor from Microsoft has actually become very good with intellisense and other goodies.



Quick-tip: When you install the Powershell ISE editor, you get a new cmdlet that gives you the ability to output the results to a sortable gridview. You may also copy and paste to Excel or other applications!




Recently I was tasked with creating a script to be able to set SPN for an Active Directory user. I created to functions named Get-ADUserSPN and Set-ADUserSPN. 


Function Get-ADUserSPN
{
<#

.Synopsis 
 This function returns the SPNs for a user object in ActiveDirectory 
.Description 
 Must be executed on a server with the active Directory module present
.Example 
 Get-ADUserSPN usera 
 Returns the SPNs for a user with sAMaccountName 'usera' 
.Example 
 Get-ADUserSPN -SAM usera 
 Returns the SPNs for a user with sAMaccountName 'usera'.   
.Parameter UserAccount [string] 
.Role 
 General 
.Component 
 FP 
.Notes 
 NAME: Get-ADUserSPN 
 AUTHOR: Tore Groneng LASTEDIT: November 2012 
 KEYWORDS: General scripting SCCM 
.Link 
 Http://www.firstpoint.no 
 Created by: Tore Groneng 
 tore@firstpoint.no #toregroneng tore.groneng@gmail.com 

#Requires -Version 2.0 
#> 

PARAM(
[Parameter(Position=0, Mandatory=$true, ValueFromPipeline=$true)]
[Alias("SAM")]
[string]$UserAccount
)

# Load the AD module, if needed (in powershell 3.0 it will automatically load modules as needed and import-module will kind of be redundant)

if ((get-Module -Name ActiveDirectory -ErrorAction SilentlyContinue) -eq $null )
{
Import-Module ActiveDirectory
}

$theUser = get-aduser $UserAccount -properties *

if ($theUser.servicePrincipalName.count -eq 0){
write-host "No SPN found for the user '$UserAccount'" -fore yellow
}
else{
# Print the SPNs to the console
$theUser.servicePrincipalName
}
}

So to be able to set SPN for a user, we must do something like this:

Function Set-ADUserSPNSQL
{
<# 
.Synopsis 
 This function sets the SPNs for a user object in ActiveDirectory 
.Description 
 Must be executed on a server with the activeDirectory module present. 
 Exception is thrown if you try to set an SPN that already exists for the target       server and user.
.Example 
 Set-ADUserSPNSQL "usera" "bgo-vm-sql-01" 
 Sets the SPN for user 'usera' with target server bgo-vm-sql-01 using the default   port 1433 
.Example 
 Set-ADUserSPNSQL -SAM "usera" -target "bgo-vm-sql-01" 
 Sets the SPN for user 'usera' with target server bgo-vm-sql-01 using the default port 1433 
.Example 
 Set-ADUserSPNSQL -SAM "usera" -target "bgo-vm-sql-01" -port 14433 
 Sets the SPN for user 'usera' with target server bgo-vm-sql-01 using the port 14433 
.Parameter 
 UserAccount UserAccount [string] 
.Parameter 
 TargetServer TargetServer [string] 
.Parameter 
 PortNumber PortNumber [int] 
.Role 
 General 
.Component FP 
.Notes 
 NAME: Set-ADUserSPNSQL 
 AUTHOR: Tore Groneng 
 LASTEDIT: November 2012 
 KEYWORDS: General scripting 
.Link 
 Http://www.firstpoint.no C
Created by: 
Tore Groneng tore@firstpoint.no #toregroneng tore.groneng@gmail.com 
#Requires -Version 2.0 
#> 
PARAM(
[Parameter(Position=0, Mandatory=$true, ValueFromPipeline=$true)]
[Alias("SAM")]
[string]$UserAccount
,
[Parameter(Position=1, Mandatory=$true)]
[Alias("target")]
[string]$TargetServer
,
[Parameter(Position=2)]
[Alias("Port")]
[INT]$PortNumber = 1433
)
[string]$targetKerb = "MSSQLSvc/"
[string]$dnsDomain = $env:UserDNSdomain
[string]$colon = ":"

# Load the AD module, if needed (in powershell 3.0 it will automatically load  modules as needed and import-module will kind of be redundant)

if ((get-Module -Name ActiveDirectory -ErrorAction SilentlyContinue) -eq $null )
{
Import-Module ActiveDirectory
}

$theUser = get-aduser $UserAccount -properties *

if ($theUser -eq $null{
write-host "Error - could not find user $UserAccount"
}
else {
$theUser.servicePrincipalName += "$targetKerb$TargetServer$colon$PortNumber"
$theUser.servicePrincipalName += "$targetKerb$TargetServer.$dnsDomain$colon$PortNumber"

try {
set-aduser -instance $theUser
write-host "Successfully set the SPN for the user ('$UserAccount'), user now have these SPNs:" -fore yellow
$theUser = get-aduser $UserAccount -properties *
write-host $theUser.servicePrincipalName -fore green
}
catch {
write-host "Exception - $_.Exception"
write-host "Useraccount:::$UserAccount" -fore yellow
write-host "TargetServer:::$TargetServer" -fore yellow
}


Comments

Popular posts from this blog

Monitoring Orchestrator runbook events from Operations Manager

Today I will follow up on my colleague’s post Mr ITblog (Knut Huglen) about monitoring Orchestrator Runbook events.  He has build a nice double up SNMP loopback feature that does self monitoring in Orchestrator resulting in entries written to a special Windows Eventlog. Now we need to raise alerts in SCOM when one of his runbooks fails or sends a platform event, who knows there could be trouble lurking in his paradise.

We are not going to do anything fancy, however these are the steps we will be focusing on today:
Create a Management Pack for our customizations Create rules that collects the events from the orchestrator serverOff we go then and fire up the SCOM console and a powershell window. First we create a MP, I am going to use powershell to do this, however you may use the SCOM console as well (Administration – ManagementPacks – Action: Create Management Pack):



Import the Management Pack into SCOM and move on to the Authoring section in the SCOM console. Create a new rule:



Give the…

Powershell – Log like you mean it

How do you do logging in powershell? Why should you do logging? What should you log? Where do you put your log? How do you remove your log? How do you search your log? All important questions and how you answer then depends upon what your background is like and the preferences you have. This will be a 2 part blog post and this is part 1.


Why should you log?

Well it is not mandatory, however I have 2 reasons:
Help with debugging a script/module/functionSelf documenting script/module/function
Firstly; Do you know any program that does not contain any bugs? Working with IT for the last 2 decades, I cannot name one. When you create scripts/modules/functions, you will create bugs, that is where they live and try to make your life a living mess.

Secondly: Adding a little extra information to your logging will make them self documenting. Do you like writing documentation? Well I normally am not fond of it and use logging while debugging to get two birds with one stone.


What should you log?

Anyt…

Powershell - List information about your WIFI networks

This is just a quick post about this new function I have created. Basically this is a text-output to powershell object output function that uses netsh to query the WIFI information. This illustrates the importance of changing the authentication level on your WIFI-network. No matter if you use WEP/WPA/WPA2 your password is available in clear text in your profile.



Cheers

Tore