5.5 AccessCheckWriteToSpnAttribute
-
procedure AccessCheckWriteToSpnAttribute( obj: DSName, spnSet: set of unicodestring) : boolean
The AccessCheckWriteToSpnAttribute procedure performs an access check to determine if the client security context, which MUST be retrieved using the method described in [MS-RPCE] section 3.3.3.4.3, has the right to modify the servicePrincipalName attribute of object obj with the SPN values specified in spnSet, taking into consideration both regular and extended write property rights.
-
if AccessCheckAttr(obj, servicePrincipalName, RIGHT_DS_WRITE_PROPERTY) then return ERROR_SUCCESS else if AccessCheckAttr(obj, servicePrincipalName, RIGHT_DS_WRITE_PROPERTY_EXTENDED) then /* Extended write access permits the attribute to be written */ * provided the proposed SPNs meet certain constraints. */ foreach spn in spnSet if not Is2PartSPN(spn) then if (Is3PartSPN(spn) and IsDCAccount(obj)) then /* Three part SPNs are permitted for DC computer accounts */ /* However, in addition to the constraints on 2 part SPNs,*/ /* the service name must meet additional constraints */ serviceName := GetServiceNameFromSPN(spn) if not IsValidServiceName(obj, serviceName) return ERROR_DS_INVALID_ATTRIBUTE_SYNTAX endif else return ERROR_DS_INVALID_ATTRIBUTE_SYNTAX endif endif instanceName := GetInstanceNameFromSPN(spn) if (instanceName ≠ obj!dNSHostName) and (not instanceName + "$" = obj!sAMAccountName) and (not instanceName in obj!msDS-AdditionalDnsHostName) and (not instanceName + "$" in obj!msDS-AdditionalSamAccountName) then /* If this is a DC computer account */ /* the instance name might be a GUID based dns host name */ if IsDCAccount(obj) then if not IsGUIDBasedDNSName(obj, instanceName)then return ERROR_DS_INVALID_ATTRIBUTE_SYNTAX endif else return ERROR_DS_INVALID_ATTRIBUTE_SYNTAX endif endif endfor return ERROR_SUCCESS endif return ERROR_DS_INSUFF_ACCESS_RIGHTS endif