chore(e2e): Added the option to make member server kerberos only (#5997)

dillanb-hashi · web-flow · commit 8d6f0d4e28ff · 2025-08-22T14:06:32.000-07:00
* chore(e2e): Added the option to make member server kerberos only
diff --git a/enos/enos-scenario-e2e-aws-rdp-base.hcl b/enos/enos-scenario-e2e-aws-rdp-base.hcl
@@ -14,8 +14,9 @@ scenario "e2e_aws_rdp_base" {
   ]
 
   matrix {
-    builder = ["local", "crt"]
-    client  = ["win10", "win11"]
+    builder       = ["local", "crt"]
+    client        = ["win10", "win11"]
+    kerberos_only = ["true", "false"]
     # Windows Server 2016 does not support OpenSSH, but it's relied on for some
     # parts of setup. If 2016 is selected, the member server will be created as
     # 2016, but the domain controller and worker will be 2019.
@@ -266,6 +267,7 @@ scenario "e2e_aws_rdp_base" {
     variables {
       vpc_id                              = step.create_base_infra.vpc_id
       server_version                      = matrix.rdp_server
+      kerberos_only                       = matrix.kerberos_only == "true" ? true : false
       active_directory_domain             = step.create_rdp_domain_controller.domain_name
       domain_controller_aws_keypair_name  = step.create_rdp_domain_controller.keypair_name
       domain_controller_ip                = step.create_rdp_domain_controller.private_ip
diff --git a/enos/modules/aws_rdp_domain_controller/main.tf b/enos/modules/aws_rdp_domain_controller/main.tf
@@ -36,7 +36,9 @@ data "aws_subnets" "infra" {
 }
 
 locals {
-  username = split(":", data.aws_caller_identity.current.user_id)[1]
+  username     = split(":", data.aws_caller_identity.current.user_id)[1]
+  domain_parts = split(".", var.active_directory_domain)
+  domain_sld   = local.domain_parts[0] # second-level domain (example.com --> example)
 }
 
 // We need a keypair to obtain the local administrator credentials to an AWS Windows based EC2 instance. So we generate it locally here
@@ -273,7 +275,7 @@ resource "aws_instance" "domain_controller" {
                   Add-WindowsFeature -name ad-domain-services -IncludeManagementTools
 
                   # causes the instance to reboot
-                  Install-ADDSForest -CreateDnsDelegation:$false -DomainMode 7 -DomainName ${var.active_directory_domain} -DomainNetbiosName ${var.active_directory_netbios_name} -ForestMode 7 -InstallDns:$true -NoRebootOnCompletion:$false -SafeModeAdministratorPassword $password -Force:$true
+                  Install-ADDSForest -CreateDnsDelegation:$false -DomainMode 7 -DomainName ${var.active_directory_domain} -DomainNetbiosName ${local.domain_sld} -ForestMode 7 -InstallDns:$true -NoRebootOnCompletion:$false -SafeModeAdministratorPassword $password -Force:$true
                 </powershell>
               EOF
 
diff --git a/enos/modules/aws_rdp_domain_controller/variables.tf b/enos/modules/aws_rdp_domain_controller/variables.tf
@@ -46,10 +46,4 @@ variable "active_directory_domain" {
   type        = string
   description = "The name of the Active Directory domain to be created on the Windows Domain Controller."
   default     = "mydomain.com"
-}
-
-variable "active_directory_netbios_name" {
-  type        = string
-  description = "Ostensibly the short-hand for the name of the domain."
-  default     = "mydomain"
-}
+}
diff --git a/enos/modules/aws_rdp_member_server/main.tf b/enos/modules/aws_rdp_member_server/main.tf
@@ -192,6 +192,12 @@ ${var.domain_admin_password}
                   (Get-WmiObject Win32_ComputerSystem).Domain
                   Get-Process -Name *ssh* -ErrorAction SilentlyContinue
 
+                  # Enable Kerberos only authentication if required
+                  %{if var.kerberos_only~}
+                    Set-ItemProperty  -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0"  -Name RestrictSendingNTLMTraffic -Value 2
+                    Set-ItemProperty  -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0"  -Name RestrictReceivingNTLMTraffic -Value 2
+                  %{endif~}
+
                   # Enable audio
                   Set-Service -Name "Audiosrv" -StartupType Automatic
                   Start-Service -Name "Audiosrv"
diff --git a/enos/modules/aws_rdp_member_server/variables.tf b/enos/modules/aws_rdp_member_server/variables.tf
@@ -71,3 +71,9 @@ variable "domain_controller_sec_group_id_list" {
   type        = list(any)
   description = "ID's of AWS Network Security Groups created during creation of the domain controller."
 }
+
+variable "kerberos_only" {
+  type        = bool
+  description = "Only allow kerberos auth"
+  default     = false
+}
