Skip to content

Commit 2bc80a6

Browse files
andreasjordanandreasjordan
authored
Test-DbaKerberos: Remove CNAME test (#10209)
1 parent d5d9fd3 commit 2bc80a6

1 file changed

Lines changed: 20 additions & 90 deletions

File tree

public/Test-DbaKerberos.ps1

Lines changed: 20 additions & 90 deletions
Original file line numberDiff line numberDiff line change
@@ -16,10 +16,9 @@ function Test-DbaKerberos {
1616
- Client-Server time synchronization (5-minute Kerberos threshold)
1717
- Server-DC time synchronization
1818
19-
DNS (3 checks):
19+
DNS (2 checks):
2020
- Forward lookup verification
2121
- Reverse lookup verification
22-
- CNAME detection (CNAMEs break Kerberos)
2322
2423
Service Account (3 checks):
2524
- Service account type validation (gMSA, domain account, built-in accounts)
@@ -174,8 +173,6 @@ function Test-DbaKerberos {
174173

175174
Write-Message -Level Verbose -Message "Starting Kerberos diagnostics for $target"
176175

177-
#region Tier 1 Checks - Essential & Straightforward
178-
179176
#region SPN Checks
180177
# Check 1: Run Test-DbaSpn
181178
try {
@@ -225,7 +222,7 @@ function Test-DbaKerberos {
225222
}
226223
}
227224

228-
# Check 5: Check AG listener SPNs if applicable
225+
# Check 2: Check AG listener SPNs if applicable
229226
if ($PSCmdlet.ParameterSetName -eq "Instance") {
230227
try {
231228
Write-Message -Level Verbose -Message "Checking for Availability Group listener SPNs"
@@ -270,7 +267,7 @@ function Test-DbaKerberos {
270267
#endregion SPN Checks
271268

272269
#region Time Synchronization Checks
273-
# Check 6: Compare system clocks (client to SQL Server)
270+
# Check 3: Compare system clocks (client to SQL Server)
274271
try {
275272
Write-Message -Level Verbose -Message "Comparing client and server time"
276273
$clientTime = Get-Date
@@ -334,7 +331,7 @@ function Test-DbaKerberos {
334331
}
335332
}
336333

337-
# Check 7: Compare with domain controllers
334+
# Check 4: Compare with domain controllers
338335
try {
339336
Write-Message -Level Verbose -Message "Comparing server time with domain controller"
340337
# Get domain controller
@@ -451,7 +448,7 @@ function Test-DbaKerberos {
451448
#endregion Time Synchronization Checks
452449

453450
#region DNS Checks
454-
# Check 8: DNS forward lookup
451+
# Check 5: DNS forward lookup
455452
try {
456453
Write-Message -Level Verbose -Message "Testing DNS forward lookup"
457454
$resolvedFqdn = [System.Net.Dns]::GetHostEntry($computerTarget).HostName
@@ -488,7 +485,7 @@ function Test-DbaKerberos {
488485
}
489486
}
490487

491-
# Check 9: DNS reverse lookup
488+
# Check 6: DNS reverse lookup
492489
try {
493490
Write-Message -Level Verbose -Message "Testing DNS reverse lookup"
494491
$ip = [System.Net.Dns]::GetHostAddresses($computerTarget) | Select-Object -First 1
@@ -524,71 +521,10 @@ function Test-DbaKerberos {
524521
Remediation = "Create PTR record in DNS for proper reverse lookup"
525522
}
526523
}
527-
528-
# Check 10: Check for CNAME records
529-
try {
530-
Write-Message -Level Verbose -Message "Checking for CNAME records"
531-
# CNAME detection requires nslookup or DNS cmdlets
532-
$splatDns = @{
533-
ComputerName = $computerTarget
534-
ScriptBlock = {
535-
param($hostname)
536-
try {
537-
$result = nslookup $hostname 2>&1 | Out-String
538-
if ($result -match "canonical name") {
539-
return "CNAME"
540-
} else {
541-
return "A"
542-
}
543-
} catch {
544-
return "Unknown"
545-
}
546-
}
547-
ArgumentList = $computerTarget
548-
}
549-
if ($Credential) {
550-
$splatDns.Credential = $Credential
551-
}
552-
$recordType = Invoke-Command @splatDns
553-
554-
if ($recordType -eq "CNAME") {
555-
$status = "Fail"
556-
$details = "CNAME record detected. CNAMEs break Kerberos authentication."
557-
$remediation = "Replace CNAME with A record in DNS. Kerberos does not support CNAME aliases."
558-
} elseif ($recordType -eq "A") {
559-
$status = "Pass"
560-
$details = "Using A record (not CNAME)"
561-
$remediation = "None"
562-
} else {
563-
$status = "Warning"
564-
$details = "Unable to determine DNS record type"
565-
$remediation = "Manually verify no CNAME records are in use"
566-
}
567-
568-
[PSCustomObject]@{
569-
ComputerName = $computerTarget
570-
InstanceName = $instanceName
571-
Check = "CNAME Detection"
572-
Category = "DNS"
573-
Status = $status
574-
Details = $details
575-
Remediation = $remediation
576-
}
577-
} catch {
578-
[PSCustomObject]@{
579-
ComputerName = $computerTarget
580-
InstanceName = $instanceName
581-
Check = "CNAME Detection"
582-
Category = "DNS"
583-
Status = "Warning"
584-
Details = "Unable to check for CNAME: $($_.Exception.Message)"
585-
Remediation = "Manually verify no CNAME records are in use"
586-
}
587-
}
588524
#endregion DNS Checks
589525

590526
#region Service Account Checks
591-
# Check 11: Verify service account
527+
# Check 7: Verify service account
592528
if ($PSCmdlet.ParameterSetName -eq "Instance") {
593529
try {
594530
Write-Message -Level Verbose -Message "Verifying SQL Server service account"
@@ -643,7 +579,7 @@ function Test-DbaKerberos {
643579
}
644580
}
645581

646-
# Check 12: Check account lock status
582+
# Check 8: Check account lock status
647583
if ($PSCmdlet.ParameterSetName -eq "Instance") {
648584
try {
649585
Write-Message -Level Verbose -Message "Checking service account lock status"
@@ -717,7 +653,7 @@ function Test-DbaKerberos {
717653
}
718654
}
719655

720-
# Check 13: Check "Account is sensitive and cannot be delegated"
656+
# Check 9: Check "Account is sensitive and cannot be delegated"
721657
if ($PSCmdlet.ParameterSetName -eq "Instance") {
722658
try {
723659
Write-Message -Level Verbose -Message "Checking delegation settings"
@@ -787,7 +723,7 @@ function Test-DbaKerberos {
787723
#endregion Service Account Checks
788724

789725
#region Authentication Validation
790-
# Check 14: Test-DbaConnectionAuthScheme
726+
# Check 10: Test-DbaConnectionAuthScheme
791727
if ($PSCmdlet.ParameterSetName -eq "Instance") {
792728
try {
793729
Write-Message -Level Verbose -Message "Testing current authentication scheme"
@@ -834,12 +770,8 @@ function Test-DbaKerberos {
834770
}
835771
#endregion Authentication Validation
836772

837-
#endregion Tier 1 Checks
838-
839-
#region Tier 2 Checks - Practical & Valuable
840-
841773
#region Network Connectivity Checks
842-
# Check 16: Test Kerberos ports (tcp/88, udp/88)
774+
# Check 11: Test Kerberos ports (tcp/88, udp/88)
843775
try {
844776
Write-Message -Level Verbose -Message "Testing Kerberos port connectivity"
845777
$domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
@@ -877,7 +809,7 @@ function Test-DbaKerberos {
877809
}
878810
}
879811

880-
# Check 17: Test LDAP ports (tcp/389, udp/389)
812+
# Check 12: Test LDAP ports (tcp/389, udp/389)
881813
try {
882814
Write-Message -Level Verbose -Message "Testing LDAP port connectivity"
883815
$domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
@@ -915,7 +847,7 @@ function Test-DbaKerberos {
915847
}
916848
}
917849

918-
# Check 18: Test Kerberos-Kdc port (tcp/464)
850+
# Check 13: Test Kerberos-Kdc port (tcp/464)
919851
try {
920852
Write-Message -Level Verbose -Message "Testing Kerberos password change port"
921853
$domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
@@ -952,9 +884,10 @@ function Test-DbaKerberos {
952884
Remediation = "Manually verify TCP/464 connectivity to DC"
953885
}
954886
}
887+
#endregion Network Connectivity Checks
955888

956889
#region Security Policy Checks
957-
# Check 20: Check encryption types
890+
# Check 14: Check encryption types
958891
try {
959892
Write-Message -Level Verbose -Message "Checking Kerberos encryption types"
960893
$splatEncryption = @{
@@ -1013,7 +946,7 @@ function Test-DbaKerberos {
1013946
}
1014947
}
1015948

1016-
# Check 21: Test-ComputerSecureChannel
949+
# Check 15: Test-ComputerSecureChannel
1017950
try {
1018951
Write-Message -Level Verbose -Message "Testing computer secure channel"
1019952
$splatSecureChannel = @{
@@ -1056,7 +989,7 @@ function Test-DbaKerberos {
1056989
}
1057990
}
1058991

1059-
# Check 22: Check hosts file
992+
# Check 16: Check hosts file
1060993
try {
1061994
Write-Message -Level Verbose -Message "Checking hosts file for entries"
1062995
$splatHosts = @{
@@ -1106,7 +1039,7 @@ function Test-DbaKerberos {
11061039
#endregion Security Policy Checks
11071040

11081041
#region SQL Server Configuration Checks
1109-
# Check 23: Check SQL Server service account
1042+
# Check 17: Check SQL Server service account
11101043
if ($PSCmdlet.ParameterSetName -eq "Instance") {
11111044
try {
11121045
Write-Message -Level Verbose -Message "Validating SQL Server service account configuration"
@@ -1167,7 +1100,7 @@ function Test-DbaKerberos {
11671100
}
11681101
}
11691102

1170-
# Check 24: Verify network protocols
1103+
# Check 18: Verify network protocols
11711104
if ($PSCmdlet.ParameterSetName -eq "Instance") {
11721105
try {
11731106
Write-Message -Level Verbose -Message "Checking SQL Server network protocol configuration"
@@ -1208,7 +1141,7 @@ function Test-DbaKerberos {
12081141
#endregion SQL Server Configuration Checks
12091142

12101143
#region Client-Side Checks
1211-
# Check 25: Run klist command
1144+
# Check 19: Run klist command
12121145
try {
12131146
Write-Message -Level Verbose -Message "Checking Kerberos ticket cache with klist"
12141147
$klistOutput = & klist 2>&1 | Out-String
@@ -1250,9 +1183,6 @@ function Test-DbaKerberos {
12501183
}
12511184
}
12521185
#endregion Client-Side Checks
1253-
1254-
#endregion Tier 2 Checks
1255-
12561186
} catch {
12571187
Stop-Function -Message "Error testing Kerberos for $target" -ErrorRecord $_ -Continue
12581188
}

0 commit comments

Comments
 (0)