I have a mock active directory domain CONTOSO. I have a domain-joined web server WEBSERVER1 running IIS 10 and there is a python flask app hosted on there.
The appPool for that Flask app is set to a service account that I created (contoso\ServiceAcc) so the flask app will be running under that identity.
I have set the following SPNs:
- setspn -a http/WEBSERVER1 contoso\ServiceAcc
- setspn -a http/WEBSERVER1.contoso contoso\ServiceAcc
I have also enabled unrestricted delegation on the service account (Trust this computer for delegation to any service (Kerberos only)).
My question pertains to getting a particular feature working in my web app. I want to allow my users to be able to update their phone number(s) in Active Directory.
Here's the snippet I have so far (within my app) that does the updating:
import subprocess
#...
currentUser = 'john.smith' # hardcoded for this example
officeNumber = '222-333-4444'
cmd = [
powershell.exe'
,'Command'
,f'Set-ADUser {currentUser} -officePhone {officeNumber}'
]
p = subprocess.run(cmd, capture_output=True)
#...
The code snippet updates the phone number for user, john.smith, through powershell's Set-ADUser cmdlet and is executed in subprocess.
If contoso\john.smith has access to powershell Active Directory (AD) tools and python, they should be able to the script above under their own identity on their own (domain-joined) machine. Otherwise, this snippet fails whenever the user tries to update their phone number on the web app.
I suspect that it has to do with the double hop problem but I'm unsure which service principal classes I would use or if it's something else entirely.
