SPN & Delegation backup script

I use SPNs quite extensively to allow Reporting Services to talk to Delegation_Anydatabases severs,  Sharepoint etc. It’s a core component of any new server setup I perform. We also employ Kerberos delegation that allows credentials to be passed down from the user through SSRS to the database server. In most service accounts delegation is simply set to Trust this user for delegation to any service (Kerberos only) but we do have a few where specific services are defined.

This is where my script comes in. I built this solution in response to a problem I also created. The best kind eh!

I was working with a sys admin to fault find an anonymous login issue (primarily caused by missing delegation or SPNs when using kerberos auth) In an effort to eliminate suspected issues I asked him to switch the production service account (FIRST MISTAKE! :)) to Trust this user for delegation to any service (Kerberos only) from its specified list of services. When this didn’t work I asked him to switch it back and thats when we both discovered the nice list of 10+ services defined was blank…

After hours of troubleshooting, trawling through requests to add SPNs & delegation we were able to rebuild the list. This was when I decided to build a safety net to prevent this from happening again. A powershell script to grab the info from AD & back it up to csv files (which I then pushed into version control software) was easily the best option. It could be setup as a task & ran every month to keep an up to date record of the SPNs & delegation records on our service accounts should the accounts get deleted or someone makes my mistake again.

The script is pretty well documented but if you have any questions on any part pop a comment in.

 

You may also like...

Leave a Reply