7

I'm setting up a process which would automatically create the SPNs for newly exposed service URLs. I am aware of how to create an SPN with Windows using the setspn -A command with the right priviliges.

As my build server is running on Linux, I wonder, is there any way - other than logging in to a windows server and running setspn - to create the SPN from a Linux server?

Balint Pato
  • 173
  • 1
  • 5

2 Answers2

4

When you use the setspn tool, all you're doing is modifying the servicePrincipalName attribute of the specified computer/user in AD.

To do the same from a Linux machine, you just need to use an LDAP tool to connect to a domain controller and modify the attribute like you would any other. Keep in mind that it's a multi-valued attribute though. So don't accidentally wipe out existing entries that might exist on the target.

Ryan Bolger
  • 16,472
  • 3
  • 40
  • 59
1

Python library for Windows Remote Management (WinRM) will let you run remote command on a Windows machine from a Linux machine

pywinrm is a Python client for Windows Remote Management (WinRM). This allows you to invoke commands on target Windows machines from any machine that can run Python.

https://blogs.technet.microsoft.com/heyscriptingguy/2015/10/27/using-winrm-on-linux/

https://github.com/diyan/pywinrm

I don't think there is a tool for Linux that registers SPNs in Active Directory. Depending on your application and how it is set up you could delegate the service account the ability to register a SPN.

Open Active Directory Users and Computers.

To open Active Directory Users and Computers, click Start, click Run, type dsa.msc, and then press ENTER.

Click View, and verify that the Advanced Features check box is selected.

Click Advanced Features, if it is not selected.

If the domain to which you want to allow a disjoint namespace does not appear in the console, take the following steps:

    In the console tree, right-click Active Directory Users and Computers, and then click Connect to Domain.

    In the Domain box, type the name of the Active Directory domain to which you want to allow the disjoint namespace, and then click OK.

    As an alternative, you can use the Browse button to locate the Active Directory domain.

In the console tree, right-click the node that represents the domain to which you want to allow a disjoint namespace, and then click Properties.

On Security tab, click Advanced.

On the Permissions tab, click Add.

In Enter the object name to select, type the group or user account name to which you want to delegate permission, and then click OK.

Configure the Apply onto box for Computer objects.

At the bottom of the Permissions box, select the Allow check box that corresponds to the Validated write to service principal name permissions, and then click OK on the three open dialog boxes to confirm your changes.

Close Active Directory Users and Computers.
Mass Nerder
  • 997
  • 4
  • 6
  • thanks, but WinRM still equates to "login to a windows server and running setspn" -- i.e. I will have to setup/get access to a windows server (or the Active Directory server) to run the setspn command. If you believe that there is no other way, then please do make that explicit in your answer and I'll accept it. – Balint Pato Apr 19 '16 at 14:08
  • @BalintPato I don't think there is a a way without using a Windows machine. I also added how to delegate the ability to create SPNs. Maybe your application supports the ability to create one automatically. – Mass Nerder Apr 19 '16 at 16:22
  • It's all just LDAP. Use LDAP tools from Linux to set the servicePrincipalName attribute. This presumes you have credentials or a Kerberos ticket on your Linux box with sufficient permissions to bind and modify the attribute for the target in AD. – Ryan Bolger Apr 19 '16 at 17:26