Skip to content

bugmanch/powerscale-add-ad-spn-perm

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
script
script
 
 
Readme.md
Readme.md
 
 

Repository files navigation

Powerscale - Allow Write ServicePrincipalName in AD

By: Thomas Bettems

#Iwork4Dell

Purpose

This Powershell script automates the addition of permission "Write ServicePrincipalName" to a Powerscale cluster computer object in Active Directory.

By default, when a Powerscale cluster is joined to an Active Directory domain, it will register all Smartconnect Zone names defined as "Service Principal Names", which are hostname aliases assigned to the cluster Computer Account.

These aliases must be registered correctly in Active Directory to allow Kerberos authentication. If they are not registered correctly, Kerberos authentication will fail, and SMB clients will revert to legacy NTLM authentication. This is very silent and doesn't show in any logs from either the Powerscale or client side.

Mostly, when new Smartconnect zone names are created after the cluster is joined to AD, the SPNs will not be registered automatically by default. This is because the Computer Acocunt object itself is missing the permission to write its own ServicePrincipalName attribute in Activce Directory.

Check SPN from Powerscale

On a Powerscale cluster, SPN registration can be checked with the following command:

isi auth smb spn check <domain-name>

Missing or superflous SPNs can be corrected with command:

isi auth smb spn fix <domain-name>

By default, this will fail with an ACCESS DENIED error message as the Powerscale cluster attemps setting the servicePrincipalName attributes using its Computer Account persona, which is missing the permission.

Objective of this script

This script will therefore add the "Write servicePrincipalName" permission to the cluster Computer Account in Active Directory so it will be allowed to automatically fix SPN registration when Smartconnect Zone Names are modified.

This is also useful when using orchestrated DR tools like Superna in Acces Zone mode. In fact, it is required to add this permission to allow seamless failover automation.

How to use this script

Prerequisites

RSAT tools must be installed before using this script

On Windows 11:

Add-WindowsCapability -Online -Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0"

Utilization

To give authorization to a Powerscale cluster to itself:

pscale-add-ad-perm.ps1 -PscaleClusterName <cluster-name>

To give authorization to cluster DR to modify SPNs of cluster Prod:

pscale-add-ad-perm.ps1 -PscaleClusterName <prod-cluster> -GranteeName <dr-cluster>

About

Powershell script to add a Powerscale cluster permission to edit its own SPNs in Active Directory

Topics

dell powerscale

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages