miércoles, 25 de junio de 2025

WINDOWS. PS. SECURITY. SPN. Service Principal Name

Purpose

PowerShell script that will allow you to verify if a SPN (Service Principal  name) exists in the domain that allows you to generate a TGS (Ticket Granting Service) ticket. This script searches Active Directory for registered SPNs and displays those that meet the criteria.

There are different search queries to use, I recommend these

Steps
Query 1:

# Asegúrate de tener el módulo ActiveDirectory importado
Import-Module ActiveDirectory

# Obtiene todos los usuarios que tengan algún SPN configurado
Get-ADUser -Filter * -Properties servicePrincipalName |
    Where-Object { $_.servicePrincipalName -ne $null } |
    Select-Object SamAccountName, servicePrincipalName


* This means that this account has a registered Service Principal Name (SPN) for SQL Server.

* MSSQLSvc indicates the service (SQL Server).

* NETVXX.domain.com is the hostname where the service runs.

:* 1433 is the standard TCP port for SQL Server. ➝ In other words: the Administrator account is associated as a service identity for a SQL Server on that server/port. This allows clients to use Kerberos authentication to connect to that SQL instance.

Query 2:

# Importar el módulo de Active Directory
Import-Module ActiveDirectory
# Definir el SPN que deseas buscar
$spn = "HTTP/*"
# Buscar cuentas de servicio con el SPN especificado
$cuentasConSPN = Get-ADObject -Filter {ServicePrincipalName -like $spn} -Properties ServicePrincipalName, Name
# Verificar si se encontraron cuentas con el SPN
if ($cuentasConSPN) {
    Write-Output "Se encontraron las siguientes cuentas con el SPN '$spn':"
    $cuentasConSPN | Select-Object Name, ServicePrincipalName | Format-Table -AutoSize
} else {
    Write-Output "No se encontraron cuentas con el SPN '$spn'."
}


ADVICE1: If you can not remove the SPN feature, it is recommended to put one password 25 long or more

ADVICE2: You can create a script that checks if there are any changes in the output of these queries.


By GoN | Published: Jun 2025 | Last Updated.Dec 2025:

Publicado por en
Etiquetas: , ,

No hay comentarios:

Publicar un comentario

Suscribirse a: Enviar comentarios (Atom)