ActiveDirSec.Org

The world's most trusted forum on Active Directory Security


Post Info TOPIC: Exactly what does Validated write to Service Principal Name control?


Member

Posts: 21
Date: Jun 1, 2011
Exactly what does Validated write to Service Principal Name control?
Permalink  
 


Hi again. One other question I had was in regards to the Validated write to Service Principal Name. We have noticed that this write is granted on quite a few computer account objects in our Active Directory and have been trying to get a good understanding of this right?

Does it have to do with Kerberos authentication in Active Directory, or does it have to do with NTLM authentication, or both? I would like to know what it controls, and how it does so?

It would also be nice to know what the difference is between an extended right and a validated write, as they both seem to have similar names, while being different obviously.



__________________

Wherever you go and whatever you do, may the luck of the Irish be there with you.



Veteran Member

Posts: 28
Date: Jun 26, 2012
RE: Exactly what does Validated write to Service Principal Name control?
Permalink  
 


Hi Geoffrey,

The Validated write to Service Principal Name controls the ability of a user to specify valid Service Principal Names (SPNs) that represent unique instances of services running on a specific computer. 


It is designed to ensure that the system only allows valid SPNs to be written to the Service-Principal-Name attribute of a machine's computer object, such that validity implies that the SPN is compliant with the host name and the DNS name of the computer.

Without  this permission, the standard Active Directory Write Property permission would allow the unvalidated modification of this attribute, which would allow users to specify non-compliant SPN names, causing service-mapping errors which could disrupt Kerberos mutual authentication between a service on this computer, and a client attempting to use this service.

Hope this explains the purpose of this validated write.

Jack.

 



__________________

We will NEVER forget.



Member

Posts: 21
Date: Jun 29, 2012
RE: Exactly what does Validated write to Service Principal Name control?
Permalink  
 


Jack,

Thanks for your input - that definitely helps me understand what this right does.

I suppose I should go check who has this right on the computer accounts of the machines used by our Domain Admins.

By the way, how do I find out who has this right granted on a computer's account?

Thanks,

Geoffrey.



__________________

Wherever you go and whatever you do, may the luck of the Irish be there with you.



Veteran Member

Posts: 28
Date: Aug 31, 2012
RE: Exactly what does Validated write to Service Principal Name control?
Permalink  
 


Geoffrey,

If you just wanted to find out who has this permission granted on a computer account, you can examine the ACL of the computer account in Active Directory. When examining ACLs, the default ACL viewer in ADU&C / Administrative Center can be quite limiting though, so I'd suggest getting your hands on a good Active Directory ACL viewer.

There are some Microsoft command-line utilities you can use to get a detailed listing of an ACL, but they're nowhere close to the output you can get from specialized Active Directory ACL viewers.

One of the best Active Directory ACL Viewers I've come across is a part of the Gold Finger for AD solution. It has the ability to breakdown permissions in individual columns so you can very quickly and easily see which permissions are granting a specific type of access, such as Extended Rights in this case.

Once you can view the ACL, you should be able to find out which permissions grant this right, and then expand the membership of the groups specified in those ACLs to determine who has this permission granted on a computer account.

Good luck.

Jack.



__________________

We will NEVER forget.

Page 1 of 1  sorted by
Quick Reply

Please log in to post quick replies.

Post to Digg Post to Del.icio.us
Members Login
Username 
 
Password 
    Remember Me