Home / server / Questions / 1053172
In Process
Matt
Asked: 2021-02-11 13:07:48 +0800 CST

How can I grant rights to update ServicePrincipalName when I can't see that option in the list?

  • 772

I'll happily close this if its a dumb question. I am trying to grant rights to SELF on an AD service (user) account for a MSSQL Server instance account.

Problem is I cannot see the check box for Read ServicePrincipalName / Write ServicePrincipalName based on multiple sources that suggest I need to add that ACE to the account.

Screenshot from AD Security checklist

Is this because I am using a user account as supposed to an MSA? I tried running the following anyway since I should not be limited by checkboxes...

dsacls "CN=SQL Engine Service,<redacted>" /G SELF:RPWP; "servicePrincipalName"

Which came back as successful but I have been unable to verify that change is present anywhere.

(get-acl "ad:\CN=SQL Engine Service,OU=Service Accounts,DC=cdn-north,DC=ab,DC=ca").access | where identityreference -eq "NT AUTHORITY\SELF" | select objecttype,activedirectoryrights

ObjectType                                                                                        ActiveDirectoryRights
----------                                                                                        ---------------------
ab721a53-1e2f-11d0-9819-00aa0040529b                                                                      ExtendedRight
00000000-0000-0000-0000-000000000000                                                         WriteProperty, GenericRead
e45795b2-9455-11d1-aebd-0000f80367c1                                                        ReadProperty, WriteProperty
e45795b3-9455-11d1-aebd-0000f80367c1                                                        ReadProperty, WriteProperty
ab721a53-1e2f-11d0-9819-00aa0040529b                                                                      ExtendedRight
ab721a54-1e2f-11d0-9819-00aa0040529b                                                                      ExtendedRight
ab721a56-1e2f-11d0-9819-00aa0040529b                                                                      ExtendedRight
77b5b886-944a-11d1-aebd-0000f80367c1                                                        ReadProperty, WriteProperty
ea1b7b93-5e48-46d5-bc6c-4df4fda78a35                                                                      WriteProperty
3f78c3e5-f79a-46bd-a0b8-9d18116ddc79                                                        ReadProperty, WriteProperty
91e647de-d96f-4b70-9557-d63ff4f3ccd8                                         ReadProperty, WriteProperty, ExtendedRight

I am expected to see th GUID Service-Principal-Name (f3a64788-5306-11d1-a9c5-0000f80367c1) but its not there.

Where I am going wrong? Why can't I add read and write permission for ServicePrincipalName to the user account sqlengine in my domain?

sql-server security active-directory permissions user-accounts

1 Answers

  1. This will happen if you are attempting to set these permissions via Active Directory Users & Computer (dsa.msc). You need to be doing this via ADSI Edit (adsiedit.msc). Editing the security that way will allow you to see the appropriate options.

    This is reinforced on dbamohsin.wordpress.com

    On a Domain Controller, run adsiedit.msc (Doing this via the normal dsa.msc console will not expose the spn permissions that need to be added)

    It is important not to skip ahead with instructions

    • 0