.
This script automated the process of rotating keytab files on Unified Access Gateway, including create new keytabs and update related IIS configurations.
The script will perform the following operations:
After successfully execute the script, the Web Reverse Proxy instances configured on Unified Access Gateway and associated with the keytab SPN will restart to establish a new connection with the KDC based on the new keytab, after that the internal web applications will be available to the external users.
To execute this script successfully, you need to:
The module contains the following commands:
New-Keytabfile - generate new keytab files based on the informed parameters, behind the scene it uses the ktpass utility
Connect-UAG - Validate the connection with UAG and obtain authorization token to use with the other UAG related commands.
Get-Keytabs - return the list of SPNs available on UAG
Import-Keytab - upload the new keytab file to UAG
Update-IIS - update the DefaultAppPool identity with the new credentials and reset IIS - The Application Pool Name can be overriden using the parameter -appPoolName
Launch a PowerShell console as an administrator user, open the runsample.ps1 file, and update the following variables that will be used by the commands:
You need to open the runsample.ps1 file and update the variable values, save and run the script as:
Example:
.\runsample.ps1
Additional details on the concept and use cases to apply this script, check out this blog post on Tech Zone Automating Keytab Rotation for Identity Bridging on VMware Unified Access Gateway