Creating an SPN from a linux build server

active-directorykerberosspn

I'm setting up a process which would automatically create the SPNs for newly exposed service URLs. I am aware of how to create an SPN with Windows using the setspn -A command with the right priviliges.

As my build server is running on Linux, I wonder, is there any way – other than logging in to a windows server and running setspn – to create the SPN from a Linux server?

Best Answer

When you use the setspn tool, all you're doing is modifying the servicePrincipalName attribute of the specified computer/user in AD.

To do the same from a Linux machine, you just need to use an LDAP tool to connect to a domain controller and modify the attribute like you would any other. Keep in mind that it's a multi-valued attribute though. So don't accidentally wipe out existing entries that might exist on the target.

Related Solutions

Creating keytabs and service principal names

I'm not quite sure whether my-user-name refers to a computer object or a user object in active directory; I'll assume it's a user object. In that case, I think setspn is not appropriate; this is meant to modify the SPNs of existing machine accounts. For a user account, I'm skeptical that SRV_HST is right.

Apparently, support for SPNs associated with user objects is somewhat limited; I read somewhere that this is really restricted to one user. I also couldn't manage to get your ktpass invocation to work for me, as it insisted on a) specifying a user account (through mapuser) that should be associated with the SPN, and b) setting the SPN password. I think the latter is unavoidable to create a keytab through ktpass.

I managed to create a keytab in the "standard way", i.e. by setting up a dedicated user account and associating it with an SPN:

ktpass /princ TEST/host@DOMAIN /mapuser user@DOMAIN /pass *  /out foo.keytab /ptype KRB5_NT_PRINCIPAL

That operation (expectly) broke login for the user, however, I was then able to kinit with

 kinit -k -t /tmp/foo.keytab  TEST/host@DOMAIN

Share one SPN between two service accounts

Research into how Kerberos delegation works shows that no, you cannot share SPNs between service accounts on the same box.

I solved the problem by provisioning a second IP address for my server and mapping IIS to one IP address and SSRS to the other.

I then created two new A records in DNS (don't use C records, they are unreliable with Kerberos delegation) to point to the services. iis.server.d.com points to the IIS IP address and ssrs.server.d.com points to the SSRS IP.

Lastly, I deleted all the SPNs for both d\acct1 and d\acct2 and reassigned the SPNs as HTTP/iis.server.d.com and HTTP/ssrs.server.d.com respectively.

Additionally, I find that editing SPNs using ADSIEdit far easier than using the setspn command line.

Best Answer

Related Solutions

Creating keytabs and service principal names

Share one SPN between two service accounts

Related Topic