Skip to content

Commit

Permalink
ADManagedServiceAccount: add ServicePrincipalNames setting
Browse files Browse the repository at this point in the history
* This is a string array and specifies Service Principal Names for
an AD Managed Service Account
  • Loading branch information
Rich Siegel committed Sep 3, 2024
1 parent 8ae460a commit 33ee483
Show file tree
Hide file tree
Showing 5 changed files with 40 additions and 1 deletion.
2 changes: 2 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@ For older change log history see the [historic changelog](HISTORIC_CHANGELOG.md)
- ADManagedServiceAccount
- New parameter TrustedForDelegation for Kerberos Delegation
([issue #717](https://github.com/dsccommunity/ActiveDirectoryDsc/issues/717)).
- New parameter TrustedForDelegation for Service Principal Name
([issue #717](https://github.com/dsccommunity/ActiveDirectoryDsc/issues/717)).
- ADDomainController
- New parameter UseExistingAccount for attaching a server to an existing RODC account.
([issue #711](https://github.com/dsccommunity/ActiveDirectoryDsc/issues/711)).
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,7 @@ function Get-TargetResource
'Enabled'
'PrincipalsAllowedToRetrieveManagedPassword'
'KerberosEncryptionType'
'ServicePrincipalNames'
'TrustedForDelegation'
)
}
Expand Down Expand Up @@ -159,6 +160,7 @@ function Get-TargetResource
DistinguishedName = $adServiceAccount.DistinguishedName
Enabled = $adServiceAccount.Enabled
KerberosEncryptionType = $adServiceAccount.KerberosEncryptionType -split (', ')
ServicePrincipalNames = $adServiceAccount.ServicePrincipalNames
TrustedForDelegation = $adServiceAccount.TrustedForDelegation
ManagedPasswordPrincipals = $managedPasswordPrincipals
MembershipAttribute = $MembershipAttribute
Expand All @@ -178,6 +180,7 @@ function Get-TargetResource
DistinguishedName = $null
Enabled = $false
KerberosEncryptionType = @()
ServicePrincipalNames = $null
TrustedForDelegation = $null
ManagedPasswordPrincipals = @()
MembershipAttribute = $MembershipAttribute
Expand Down Expand Up @@ -227,6 +230,9 @@ function Get-TargetResource
This value sets the encryption types supported flags of the Active Directory msDS-SupportedEncryptionTypes
attribute.
.PARAMETER ServicePrincipalNames
Specifies the service principal names for the user account.
.PARAMETER TrustedForDelegation
Specifies whether an account is trusted for Kerberos delegation. Default value is $false.
Expand Down Expand Up @@ -300,6 +306,11 @@ function Test-TargetResource
[System.String[]]
$KerberosEncryptionType,

[Parameter()]
[ValidateNotNullOrEmpty()]
[System.String[]]
$ServicePrincipalNames,

[Parameter()]
[ValidateNotNull()]
[System.Boolean]
Expand Down Expand Up @@ -431,6 +442,9 @@ function Test-TargetResource
This value sets the encryption types supported flags of the Active Directory msDS-SupportedEncryptionTypes
attribute.
.PARAMETER ServicePrincipalNames
Specifies the service principal names for the user account.
.PARAMETER TrustedForDelegation
Specifies whether an account is trusted for Kerberos delegation. Default value is $false.
Expand Down Expand Up @@ -512,6 +526,11 @@ function Set-TargetResource
[System.String[]]
$KerberosEncryptionType,

[Parameter()]
[ValidateNotNullOrEmpty()]
[System.String[]]
$ServicePrincipalNames,

[Parameter()]
[ValidateNotNull()]
[System.Boolean]
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ class MSFT_ADManagedServiceAccount : OMI_BaseResource
[Write, Description("Specifies the Active Directory Domain Controller instance to use to perform the task. This is only required if not executing the task on a domain controller.")] String DomainController;
[Write, Description("Specifies whether the user account is created or deleted. If not specified, this value defaults to Present."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] String Ensure;
[Write, Description("Specifies which Kerberos encryption types the account supports when creating service tickets. This value sets the encryption types supported flags of the Active Directory msDS-SupportedEncryptionTypes attribute."),ValueMap{"None","RC4","AES128","AES256"}, Values{"None","RC4","AES128","AES256"}] String KerberosEncryptionType[];
[Write, Description("Specifies the service principal names for the user account.")] String ServicePrincipalNames[];
[Write, Description("Specifies whether an account is trusted for Kerberos delegation. Default value is $false.")] Boolean TrustedForDelegation;
[Write, Description("Specifies the membership policy for systems which can use a group managed service account. (ldapDisplayName 'msDS-GroupMSAMembership'). Only used when 'Group' is selected for 'AccountType'.")] String ManagedPasswordPrincipals[];
[Write, Description("Active Directory attribute used to perform membership operations for Group Managed Service Accounts (gMSA). If not specified, this value defaults to SamAccountName."), ValueMap{"SamAccountName","DistinguishedName","ObjectGUID","ObjectSid"}, Values{"SamAccountName","DistinguishedName","ObjectGUID","ObjectSid"}] String MembershipAttribute;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,10 @@
Allowed values: None, RC4, AES128, AES256
Specifies which Kerberos encryption types the account supports when creating service tickets. This value sets the encryption types supported flags of the Active Directory msDS-SupportedEncryptionTypes attribute.

.PARAMETER ServicePrincipalNames
Write - StringArray
Specifies the service principal names for the user account.

.PARAMETER TrustedForDelegation
Write - Boolean
Specifies whether an account is trusted for Kerberos delegation. Default value is $false.
Expand Down
15 changes: 14 additions & 1 deletion tests/Unit/MSFT_ADManagedServiceAccount.Tests.ps1
Original file line number Diff line number Diff line change
Expand Up @@ -77,6 +77,7 @@ try
DisplayName = 'TestSMSA'
Enabled = $true
KerberosEncryptionType = 'RC4', 'AES128', 'AES256'
ServicePrincipalNames = 'MSSQLSvc/Node1.contoso.com','HTTP/Node1','HTTP/Node1.contoso.com'
TrustedForDelegation = $false
ManagedPasswordPrincipals = @()
MembershipAttribute = 'SamAccountName'
Expand All @@ -94,6 +95,7 @@ try
ManagedPasswordPrincipals = @()
MembershipAttribute = $mockAdServiceAccountStandalone.MembershipAttribute
KerberosEncryptionType = @()
ServicePrincipalNames = $null
Ensure = 'Absent'
}

Expand All @@ -102,6 +104,7 @@ try
Description = 'Changed description'
DisplayName = 'Changed displayname'
KerberosEncryptionType = 'AES128', 'AES256'
ServicePrincipalNames = 'MSSQLSvc/Node1.contoso.com','HTTP/Node1'
ManagedPasswordPrincipals = $mockADUSer.SamAccountName
}

Expand All @@ -114,6 +117,7 @@ try
DisplayName = 'TestGMSA'
Enabled = $true
KerberosEncryptionType = 'RC4', 'AES128', 'AES256'
ServicePrincipalNames = 'MSSQLSvc/Node1.contoso.com','HTTP/Node1','HTTP/Node1.contoso.com'
TrustedForDelegation = $true
ManagedPasswordPrincipals = $mockADUSer.SamAccountName, $mockADComputer.SamAccountName
MembershipAttribute = 'SamAccountName'
Expand All @@ -131,6 +135,7 @@ try
ManagedPasswordPrincipals = @()
MembershipAttribute = $mockAdServiceAccountGroup.MembershipAttribute
KerberosEncryptionType = @()
ServicePrincipalNames = $null
TrustedForDelegation = $null
Ensure = 'Absent'
}
Expand All @@ -142,6 +147,7 @@ try
DistinguishedName = $mockAdServiceAccountStandalone.DistinguishedName
Enabled = $mockAdServiceAccountStandalone.Enabled
KerberosEncryptionType = $mockAdServiceAccountStandalone.KerberosEncryptionType
ServicePrincipalNames = $mockAdServiceAccountStandalone.ServicePrincipalNames
TrustedForDelegation = $mockAdServiceAccountStandalone.TrustedForDelegation
Name = $mockAdServiceAccountStandalone.ServiceAccountName
ObjectClass = 'msDS-ManagedServiceAccount'
Expand All @@ -158,6 +164,7 @@ try
DistinguishedName = $mockAdServiceAccountGroup.DistinguishedName
Enabled = $mockAdServiceAccountGroup.Enabled
KerberosEncryptionType = $mockAdServiceAccountGroup.KerberosEncryptionType
ServicePrincipalNames = $mockAdServiceAccountGroup.ServicePrincipalNames
TrustedForDelegation = $mockAdServiceAccountGroup.TrustedForDelegation
Name = $mockAdServiceAccountGroup.ServiceAccountName
ObjectClass = 'msDS-GroupManagedServiceAccount'
Expand All @@ -183,6 +190,7 @@ try
Credential = $mockCredentials
DomainController = $mockDomainController
KerberosEncryptionType = 'RC4', 'AES128', 'AES256'
ServicePrincipalNames = 'MSSQLSvc/Node1.contoso.com','HTTP/Node1','HTTP/Node1.contoso.com'
TrustedForDelegation = $false

}
Expand All @@ -202,6 +210,7 @@ try
Credential = $mockCredentials
DomainController = $mockDomainController
KerberosEncryptionType = 'RC4', 'AES128', 'AES256'
ServicePrincipalNames = 'MSSQLSvc/Node1.contoso.com','HTTP/Node1','HTTP/Node1.contoso.com'
TrustedForDelegation = $false
}

Expand All @@ -218,6 +227,7 @@ try
ManagedPasswordPrincipals = @()
MembershipAttribute = 'SamAccountName'
KerberosEncryptionType = @()
ServicePrincipalNames = $null
TrustedForDelegation = $null
}

Expand Down Expand Up @@ -434,6 +444,7 @@ try
Description = $mockAdServiceAccountStandalone.Description
DisplayName = $mockAdServiceAccountStandalone.DisplayName
KerberosEncryptionType = $mockAdServiceAccountStandalone.KerberosEncryptionType
ServicePrincipalNames = $mockAdServiceAccountStandalone.ServicePrincipalNames
ManagedPasswordPrincipals = $mockAdServiceAccountStandalone.ManagedPasswordPrincipals
MembershipAttribute = $mockAdServiceAccountStandalone.MembershipAttribute
Ensure = $mockAdServiceAccountStandalone.Ensure
Expand Down Expand Up @@ -567,6 +578,7 @@ try
Ensure = $mockAdServiceAccountStandAlone.Ensure
DisplayName = $mockAdServiceAccountStandAlone.DisplayName
KerberosEncryptionType = $mockAdServiceAccountStandAlone.KerberosEncryptionType
ServicePrincipalNames = $mockAdServiceAccountStandalone.ServicePrincipalNames
}

$setTargetResourceParametersStandAloneAbsent = $setTargetResourceParametersStandAlone.Clone()
Expand All @@ -583,6 +595,7 @@ try
ManagedPasswordPrincipals = $mockAdServiceAccountGroup.ManagedPasswordPrincipals
DisplayName = $mockAdServiceAccountGroup.Name.DisplayName
KerberosEncryptionType = $mockAdServiceAccountGroup.KerberosEncryptionType
ServicePrincipalNames = $mockAdServiceAccountGroup.ServicePrincipalNames
}
Context 'When the Resource should be Present' {

Expand All @@ -600,7 +613,7 @@ try
-MockWith { $mockGetTargetResourceResultsGroup }

It "Should call the correct mocks when $property has changed" {
Set-TargetResource @setTargetResourceParametersChangedProperty
Set-TargetResource @

Assert-MockCalled -CommandName Get-TargetResource `
-ParameterFilter { `
Expand Down

0 comments on commit 33ee483

Please sign in to comment.