none
SETSPN Powershell Script RRS feed

  • Question

  • I am creating an SPN script to run on azure Scale SETS. The script will automatically be downloaded to each machine and need to register when it comes online.

    The objective is to run the SPN as a domain admin and not the local user.

    Here is my code:

    param (
      $vmDomain='testdomain.com',  
      $vmAdminUsername='testuser',
      $vmAdminPassword='Userpassword'
      
    )
     
    $password =  ConvertTo-SecureString $vmAdminPassword -AsPlainText -Force
    $credential = New-Object System.Management.Automation.PSCredential($vmDomain + "\" + $vmAdminUsername, $password)
    $cmd='C:\Windows\System32\setspn.exe -s MSSQLSvc/' + $env:computername +' domain\serviceaccount'
    Write-Verbose -Verbose "Entering Custom Script Extension..."
     
     start-process $cmd -Credential $credential
    
    
    

    It currently fails with :

    start-process : Object reference not set to an instance of an object.
    At line:15 char:2
    +  start-process $cmd -Credential $credential
    +  ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [Start-Process], NullReferenceException
        + FullyQualifiedErrorId : System.NullReferenceException,Microsoft.PowerShell.Commands.StartProcessCommand
     

    any idea?

    Monday, September 18, 2017 4:16 AM

Answers

  • Got it to work locally with the following code:

    param (
      $vmAdminUsername,
      $vmAdminPassword
    )
     
    $SecurePassword = ConvertTo-SecureString $vmAdminPassword -AsPlainText -Force
    $Credential = New-Object System.Management.Automation.PSCredential ($vmAdminUsername,$SecurePassword)
    $myFQDN=(Get-WmiObject win32_computersystem).DNSHostName+"."+(Get-WmiObject win32_computersystem).Domain
    $arglist1 = "setspn.exe -s MSSQLSvc/$env:computername",'Domain\ServiceAccount'
    $arglist2 = "setspn.exe -s MSSQLSvc/$myFQDN",'domain\ServiceAccount'
    
    
    Start-Process powershell.exe -Credential ($credential) -NoNewWindow -ArgumentList $arglist1  
    Start-Process powershell.exe -Credential ($credential) -NoNewWindow -ArgumentList $arglist2  

    However, from the template, it is failing. I am calling it with:

    "commandToExecute": "[concat('powershell.exe -ExecutionPolicy Unrestricted -file SETSPN.ps1', parameters('VMadminUsername'), '', parameters('VMadminPassword'))]"

    Wednesday, September 20, 2017 2:58 PM

All replies

  • You should not be embedding a password in plain text in a script - especially not a domain admin account's credentials!

    -- Bill Stewart [Bill_Stewart]

    Tuesday, September 19, 2017 2:15 PM
    Moderator
  • Not planning on it. This will be a passed parameter.  I am only using this as a test to see if it runs locally.
    Tuesday, September 19, 2017 7:24 PM
  • You have to do this this way:

    $arglist = "-s MSSQLSvc/$env:computername",'domain\serviceaccount'
    start-process 'setspn.exe' -ArgumentList $arglist  -Credential $credential
    

    \_(ツ)_/


    • Edited by jrv Tuesday, September 19, 2017 7:56 PM
    Tuesday, September 19, 2017 7:55 PM
  • I tried that, but it errors out. I don't think Argumentlist is supported in start-process.

    start-process : Object reference not set to an instance of an object.
    At line:17 char:1
    + start-process 'setspn.exe' -ArgumentList $arglist -Credential $credential
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [Start-Process], NullReferenceException
        + FullyQualifiedErrorId : System.NullReferenceException,Microsoft.PowerShell.Commands.StartProcessCommand

    Tuesday, September 19, 2017 8:34 PM
  • Learn to use PowerShell.  Don't make wrong guesses that you can easily verify:

    help start-process -full

    Your credential object is likely null.

    $arglist cannot be null if you used my exact code. "domain" must be a NetBIOS name and not an FQDN or DNS name.

    $vmDomain must be either the NB computer name or the NB domain name.

    Try testing it by just typing in all values at a prompt.  Use help to learn how to use each command.  Learn about Windows credential objects and test until you are sure you understand how they work.  Most important learn PowerSHell so you will not have to guess at every line of code.

    Learn PowerSHell: https://mva.microsoft.com/en-us/training-courses/getting-started-with-microsoft-powershell-8276<o:p></o:p>



    \_(ツ)_/

    Tuesday, September 19, 2017 8:45 PM
  • Sorry, I did a - in Power ISE and the Arg did not appear as an option.

    You are correct and it is supported. Manually, it works. Via script, it is failing and don't know where.

    I removed the credentials and I get the error:

    start-process : This command cannot be run due to the error: The directory name is invalid.
    At line:18 char:1
    + start-process 'setspn.exe' $arglist -Credential $user
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (:) [Start-Process], InvalidOperationException
        + FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.Commands.StartProcessCommand
    param (
      $vmDomain='testdomain.com',  
      $vmAdminUsername='testuser',
      $vmAdminPassword='Userpassword'
      
    )
    $arglist = "-s MSSQLSvc/$env:computername",'domain\serviceaccount'
    $password =  ConvertTo-SecureString $vmAdminPassword -AsPlainText -Force
    $credential = New-Object System.Management.Automation.PSCredential($vmDomain + "\" + $vmAdminUsername, $password)
    
    Write-Verbose -Verbose "Entering Custom Script Extension..."
     
    start-process 'setspn.exe' -ArgumentList $arglist  -Credential "domain\adminuser"


    • Edited by anon1m0us Tuesday, September 19, 2017 9:27 PM
    Tuesday, September 19, 2017 9:26 PM
  • get-command setspn

    If it does not show then it is not installed or in the path.


    \_(ツ)_/

    Tuesday, September 19, 2017 9:36 PM

  • Tuesday, September 19, 2017 10:57 PM
  • I believe the issue is with the credentials.

    I am running PS as a local account. The script will use the credentials to set  the SPN. This is what is erroring out.

    If i open PS as a domain user account that is defined in the script, and then run the script without -credentials, it works fine.

    So either I cannot run this account as a local admin but must launch PS as a domain admin, or the issue how I set the credentials.

    Tuesday, September 19, 2017 11:07 PM
  • Some utilities cannot be activated without a full user session.  Some have security issues.  SETSPN must validate the request against the security manager database that owns the domain service account.  It appears this cannot be done from a non domain full session.


    \_(ツ)_/

    Tuesday, September 19, 2017 11:43 PM
  • Got it to work locally with the following code:

    param (
      $vmAdminUsername,
      $vmAdminPassword
    )
     
    $SecurePassword = ConvertTo-SecureString $vmAdminPassword -AsPlainText -Force
    $Credential = New-Object System.Management.Automation.PSCredential ($vmAdminUsername,$SecurePassword)
    $myFQDN=(Get-WmiObject win32_computersystem).DNSHostName+"."+(Get-WmiObject win32_computersystem).Domain
    $arglist1 = "setspn.exe -s MSSQLSvc/$env:computername",'Domain\ServiceAccount'
    $arglist2 = "setspn.exe -s MSSQLSvc/$myFQDN",'domain\ServiceAccount'
    
    
    Start-Process powershell.exe -Credential ($credential) -NoNewWindow -ArgumentList $arglist1  
    Start-Process powershell.exe -Credential ($credential) -NoNewWindow -ArgumentList $arglist2  

    However, from the template, it is failing. I am calling it with:

    "commandToExecute": "[concat('powershell.exe -ExecutionPolicy Unrestricted -file SETSPN.ps1', parameters('VMadminUsername'), '', parameters('VMadminPassword'))]"

    Wednesday, September 20, 2017 2:58 PM