ADManagedServiceAccount: add ServicePrincipalNames setting

* This is a string array and specifies Service Principal Names for
an AD Managed Service Account

Author: Rich Siegel

CHANGELOG.md

@@ -11,6 +11,8 @@ For older change log history see the [historic changelog](HISTORIC_CHANGELOG.md)
 - ADManagedServiceAccount
   - New parameter TrustedForDelegation for Kerberos Delegation
     ([issue #717](https://github.com/dsccommunity/ActiveDirectoryDsc/issues/717)).
+  - New parameter TrustedForDelegation for Service Principal Name
+    ([issue #717](https://github.com/dsccommunity/ActiveDirectoryDsc/issues/717)).
 - ADDomainController
   - New parameter UseExistingAccount for attaching a server to an existing RODC account.
     ([issue #711](https://github.com/dsccommunity/ActiveDirectoryDsc/issues/711)).

source/DSCResources/MSFT_ADManagedServiceAccount/MSFT_ADManagedServiceAccount.psm1

@@ -96,6 +96,7 @@ function Get-TargetResource
             'Enabled'
             'PrincipalsAllowedToRetrieveManagedPassword'
             'KerberosEncryptionType'
+            'ServicePrincipalNames'
             'TrustedForDelegation'
         )
     }
@@ -159,6 +160,7 @@ function Get-TargetResource
             DistinguishedName         = $adServiceAccount.DistinguishedName
             Enabled                   = $adServiceAccount.Enabled
             KerberosEncryptionType    = $adServiceAccount.KerberosEncryptionType -split (', ')
+            ServicePrincipalNames     = $adServiceAccount.ServicePrincipalNames -split (', ')
             TrustedForDelegation      = $adServiceAccount.TrustedForDelegation
             ManagedPasswordPrincipals = $managedPasswordPrincipals
             MembershipAttribute       = $MembershipAttribute
@@ -178,6 +180,7 @@ function Get-TargetResource
             DistinguishedName         = $null
             Enabled                   = $false
             KerberosEncryptionType    = @()
+            ServicePrincipalNames     = @()
             TrustedForDelegation      = $null
             ManagedPasswordPrincipals = @()
             MembershipAttribute       = $MembershipAttribute
@@ -227,6 +230,9 @@ function Get-TargetResource
         This value sets the encryption types supported flags of the Active Directory msDS-SupportedEncryptionTypes
         attribute.
 
+    .PARAMETER ServicePrincipalNames
+        Specifies the service principal names for the user account.
+
     .PARAMETER TrustedForDelegation
         Specifies whether an account is trusted for Kerberos delegation. Default value is $false.
 
@@ -300,6 +306,10 @@ function Test-TargetResource
         [System.String[]]
         $KerberosEncryptionType,
 
+        [Parameter()]
+        [System.String[]]
+        $ServicePrincipalNames,
+
         [Parameter()]
         [ValidateNotNull()]
         [System.Boolean]
@@ -431,6 +441,9 @@ function Test-TargetResource
         This value sets the encryption types supported flags of the Active Directory msDS-SupportedEncryptionTypes
         attribute.
 
+    .PARAMETER ServicePrincipalNames
+        Specifies the service principal names for the user account.
+
     .PARAMETER TrustedForDelegation
         Specifies whether an account is trusted for Kerberos delegation. Default value is $false.
 
@@ -512,6 +525,10 @@ function Set-TargetResource
         [System.String[]]
         $KerberosEncryptionType,
 
+        [Parameter()]
+        [System.String[]]
+        $ServicePrincipalNames,
+
         [Parameter()]
         [ValidateNotNull()]
         [System.Boolean]

source/DSCResources/MSFT_ADManagedServiceAccount/MSFT_ADManagedServiceAccount.schema.mof

@@ -10,6 +10,7 @@ class MSFT_ADManagedServiceAccount : OMI_BaseResource
     [Write, Description("Specifies the Active Directory Domain Controller instance to use to perform the task. This is only required if not executing the task on a domain controller.")] String DomainController;
     [Write, Description("Specifies whether the user account is created or deleted. If not specified, this value defaults to Present."), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] String Ensure;
     [Write, Description("Specifies which Kerberos encryption types the account supports when creating service tickets. This value sets the encryption types supported flags of the Active Directory msDS-SupportedEncryptionTypes attribute."),ValueMap{"None","RC4","AES128","AES256"}, Values{"None","RC4","AES128","AES256"}] String KerberosEncryptionType[];
+    [Write, Description("Specifies the service principal names for the user account.")] String ServicePrincipalNames[];
     [Write, Description("Specifies whether an account is trusted for Kerberos delegation. Default value is $false.")] Boolean TrustedForDelegation;
     [Write, Description("Specifies the membership policy for systems which can use a group managed service account. (ldapDisplayName 'msDS-GroupMSAMembership'). Only used when 'Group' is selected for 'AccountType'.")] String ManagedPasswordPrincipals[];
     [Write, Description("Active Directory attribute used to perform membership operations for Group Managed Service Accounts (gMSA). If not specified, this value defaults to SamAccountName."), ValueMap{"SamAccountName","DistinguishedName","ObjectGUID","ObjectSid"}, Values{"SamAccountName","DistinguishedName","ObjectGUID","ObjectSid"}] String MembershipAttribute;

source/DSCResources/MSFT_ADManagedServiceAccount/en-US/about_ADManagedServiceAccount.help.txt

@@ -45,6 +45,10 @@
     Allowed values: None, RC4, AES128, AES256
     Specifies which Kerberos encryption types the account supports when creating service tickets. This value sets the encryption types supported flags of the Active Directory msDS-SupportedEncryptionTypes attribute.
 
+.PARAMETER ServicePrincipalNames
+    Write - StringArray
+    Specifies the service principal names for the user account.
+
 .PARAMETER TrustedForDelegation
     Write - Boolean
     Specifies whether an account is trusted for Kerberos delegation. Default value is $false.

tests/Unit/MSFT_ADManagedServiceAccount.Tests.ps1

@@ -77,6 +77,7 @@ try
             DisplayName               = 'TestSMSA'
             Enabled                   = $true
             KerberosEncryptionType    = 'RC4', 'AES128', 'AES256'
+            ServicePrincipalNames     = 'MSSQLSvc/Node1.contoso.com','HTTP/Node1','HTTP/Node1.contoso.com'
             TrustedForDelegation      = $false
             ManagedPasswordPrincipals = @()
             MembershipAttribute       = 'SamAccountName'
@@ -94,6 +95,7 @@ try
             ManagedPasswordPrincipals = @()
             MembershipAttribute       = $mockAdServiceAccountStandalone.MembershipAttribute
             KerberosEncryptionType    = @()
+            ServicePrincipalNames     = @()
             Ensure                    = 'Absent'
         }
 
@@ -102,6 +104,7 @@ try
             Description               = 'Changed description'
             DisplayName               = 'Changed displayname'
             KerberosEncryptionType    = 'AES128', 'AES256'
+            ServicePrincipalNames     = 'MSSQLSvc/Node1.contoso.com','HTTP/Node1'
             ManagedPasswordPrincipals = $mockADUSer.SamAccountName
         }
 
@@ -114,6 +117,7 @@ try
             DisplayName               = 'TestGMSA'
             Enabled                   = $true
             KerberosEncryptionType    = 'RC4', 'AES128', 'AES256'
+            ServicePrincipalNames     = 'MSSQLSvc/Node1.contoso.com','HTTP/Node1','HTTP/Node1.contoso.com'
             TrustedForDelegation      = $true
             ManagedPasswordPrincipals = $mockADUSer.SamAccountName, $mockADComputer.SamAccountName
             MembershipAttribute       = 'SamAccountName'
@@ -131,6 +135,7 @@ try
             ManagedPasswordPrincipals = @()
             MembershipAttribute       = $mockAdServiceAccountGroup.MembershipAttribute
             KerberosEncryptionType    = @()
+            ServicePrincipalNames     = @()
             TrustedForDelegation      = $null
             Ensure                    = 'Absent'
         }
@@ -142,6 +147,7 @@ try
             DistinguishedName      = $mockAdServiceAccountStandalone.DistinguishedName
             Enabled                = $mockAdServiceAccountStandalone.Enabled
             KerberosEncryptionType = $mockAdServiceAccountStandalone.KerberosEncryptionType
+            ServicePrincipalNames  = $mockAdServiceAccountStandalone.ServicePrincipalNames
             TrustedForDelegation   = $mockAdServiceAccountStandalone.TrustedForDelegation
             Name                   = $mockAdServiceAccountStandalone.ServiceAccountName
             ObjectClass            = 'msDS-ManagedServiceAccount'
@@ -158,6 +164,7 @@ try
             DistinguishedName                          = $mockAdServiceAccountGroup.DistinguishedName
             Enabled                                    = $mockAdServiceAccountGroup.Enabled
             KerberosEncryptionType                     = $mockAdServiceAccountGroup.KerberosEncryptionType
+            ServicePrincipalNames                      = $mockAdServiceAccountGroup.ServicePrincipalNames
             TrustedForDelegation                       = $mockAdServiceAccountGroup.TrustedForDelegation
             Name                                       = $mockAdServiceAccountGroup.ServiceAccountName
             ObjectClass                                = 'msDS-GroupManagedServiceAccount'
@@ -183,6 +190,7 @@ try
             Credential                = $mockCredentials
             DomainController          = $mockDomainController
             KerberosEncryptionType    = 'RC4', 'AES128', 'AES256'
+            ServicePrincipalNames     = 'MSSQLSvc/Node1.contoso.com','HTTP/Node1','HTTP/Node1.contoso.com'
             TrustedForDelegation      = $false
 
         }
@@ -202,6 +210,7 @@ try
             Credential                = $mockCredentials
             DomainController          = $mockDomainController
             KerberosEncryptionType    = 'RC4', 'AES128', 'AES256'
+            ServicePrincipalNames     = 'MSSQLSvc/Node1.contoso.com','HTTP/Node1','HTTP/Node1.contoso.com'
             TrustedForDelegation      = $false
         }
 
@@ -218,6 +227,7 @@ try
             ManagedPasswordPrincipals = @()
             MembershipAttribute       = 'SamAccountName'
             KerberosEncryptionType    = @()
+            ServicePrincipalNames     = @()
             TrustedForDelegation      = $null
         }
 
@@ -434,6 +444,7 @@ try
                 Description               = $mockAdServiceAccountStandalone.Description
                 DisplayName               = $mockAdServiceAccountStandalone.DisplayName
                 KerberosEncryptionType    = $mockAdServiceAccountStandalone.KerberosEncryptionType
+                ServicePrincipalNames     = $mockAdServiceAccountStandalone.ServicePrincipalNames
                 ManagedPasswordPrincipals = $mockAdServiceAccountStandalone.ManagedPasswordPrincipals
                 MembershipAttribute       = $mockAdServiceAccountStandalone.MembershipAttribute
                 Ensure                    = $mockAdServiceAccountStandalone.Ensure
@@ -567,6 +578,7 @@ try
                 Ensure                 = $mockAdServiceAccountStandAlone.Ensure
                 DisplayName            = $mockAdServiceAccountStandAlone.DisplayName
                 KerberosEncryptionType = $mockAdServiceAccountStandAlone.KerberosEncryptionType
+                ServicePrincipalNames  = $mockAdServiceAccountStandalone.ServicePrincipalNames
             }
 
             $setTargetResourceParametersStandAloneAbsent = $setTargetResourceParametersStandAlone.Clone()
@@ -583,6 +595,7 @@ try
                 ManagedPasswordPrincipals = $mockAdServiceAccountGroup.ManagedPasswordPrincipals
                 DisplayName               = $mockAdServiceAccountGroup.Name.DisplayName
                 KerberosEncryptionType    = $mockAdServiceAccountGroup.KerberosEncryptionType
+                ServicePrincipalNames     = $mockAdServiceAccountGroup.ServicePrincipalNames
             }
             Context 'When the Resource should be Present' {