• State Not Answered
  • +1 person also asked this people also asked this
  • Replies 2 replies
  • Subscribers 61 subscribers
  • Views 565 views
  • Users 0 members are here
Options
Related

Can ARS be used ... customized to - create a keytab and drop it in a shared location for the customer that needs one?

dyannic
over 1 year ago

I've taken to delegating native AD rights to a group or two - that allows write to servicePrincipalName - external to ARS.

ARS provides the delegation to create SPN's in the web interface - and that works great.

unexpected additional need ... for those that create service accounts that needs an SPN set - SOME of those also need a keytab created using the service account name and password that was just generated via ARS.

nothing seems builtin to also throw out a keytab,

But onCreate ... could a workflow or policy script be used to generate a keytab that mimics ktpass.exe so we can stay out of the native delegations arena ?

  • 0 over 1 year ago

    Could you line out how you managed to delegate SPN creation?

  • 0 over 1 year ago

    You can definitely do this with a change workflow that reacts to a user creation.

    You would need a way for the workflow's start condition to know that it's a service account that is being created - perhaps check the samaccountname of the new object to see that it contains svc_ or something like that.  (You would do that at the bottom of the start conditions page).

    After that it's easy enough to pickup the name of the new object via $Request.DN and / or then obtain whatever other property(ies) you need via $DirObj to pass to to your keypass command line in a script activity launched by the workflow.