Was this page helpful?
Your feedback about this content is important. Let us know what you think.
Additional feedback?
1500 characters remaining
5.5 AccessCheckWriteToSpnAttribute
Collapse the table of content
Expand the table of content

5.5 AccessCheckWriteToSpnAttribute

 procedure AccessCheckWriteToSpnAttribute(
   obj: DSName, spnSet: set of unicodestring) : boolean

The AccessCheckWriteToSpnAttribute procedure performs an access check to determine if the client security context, which MUST be retrieved using the method described in [MS-RPCE] section 3.3.3.4.3, has the right to modify the servicePrincipalName attribute of object obj with the SPN values specified in spnSet, taking into consideration both regular and extended write property rights.

  
 if AccessCheckAttr(obj,
                    servicePrincipalName, 
                    RIGHT_DS_WRITE_PROPERTY) then
   return ERROR_SUCCESS
 else
   if AccessCheckAttr(obj,
                      servicePrincipalName, 
                      RIGHT_DS_WRITE_PROPERTY_EXTENDED) then
     /* Extended write access permits the attribute to be written */
      * provided the proposed SPNs meet certain constraints. */
  
     foreach spn in spnSet
       if not Is2PartSPN(spn) then
         if (Is3PartSPN(spn) and IsDCAccount(obj)) then
  
           /* Three part SPNs are permitted for DC computer accounts */
           /* However, in addition to the constraints on 2 part SPNs,*/
           /* the service name must meet additional constraints */
  
           serviceName := GetServiceNameFromSPN(spn)
           if not IsValidServiceName(obj, serviceName)
             return ERROR_DS_INVALID_ATTRIBUTE_SYNTAX
           endif 
         else
           return ERROR_DS_INVALID_ATTRIBUTE_SYNTAX
         endif
       endif
  
       instanceName := GetInstanceNameFromSPN(spn)
       if (instanceName ≠ obj!dNSHostName) and
          (not instanceName + "$" = obj!sAMAccountName) and
          (not instanceName in obj!msDS-AdditionalDnsHostName) and
          (not instanceName + "$" in 
              obj!msDS-AdditionalSamAccountName) then
         /* If this is a DC computer account */
         /* the instance name may be a GUID based dns host name */
         if IsDCAccount(obj) then
           if not IsGUIDBasedDNSName(obj, instanceName)then
             return ERROR_DS_INVALID_ATTRIBUTE_SYNTAX
           endif
         else 
           return ERROR_DS_INVALID_ATTRIBUTE_SYNTAX
         endif
       endif
     endfor
     return ERROR_SUCCESS
   endif
  
   return ERROR_DS_INSUFF_ACCESS_RIGHTS
 endif
Show:
© 2015 Microsoft