Investigate the use of PSRP instead of WinRM

[koikonom]

As @briantist mentioned in https://github.com/hashicorp/terraform-provider-ad/issues/53#issuecomment-762507375

--- quote --- There is another alternative, which is to connect to the domain controller with PSRP (PowerShell Remoting Protocol) instead of over pure WinRM + launch powershell.exe.

This would allow one to use constrained endpoints and JEA to allow unprivileged users to connect to the domain controllers, and execute a limited set of commands, where the account that runs the commands can have just domain privileges needed (and can even be a virtual account).

By crafting the role definitions and role capabilities files carefully, it could be possible to set up a policy without even writing PowerShell-side wrapper functions (although that's also easy to do).

This also better allows for connections that don't directly hit a DC, since when using a RunAs account, you avoid the double-hop issue, so the server you connect to wouldn't have to be a DC (this wouldn't work with a virtual account, but would with a pre-defined domain service account).

The main impediment to this though, is that I don't think there is any existing Go library that implements this protocol on the level of something like pypsrp. --- quote ---

[briantist]

Thanks for opening this @koikonom . The links from the quote above are missing:

• About JEA role definitions and role capabilities
• The pypsrp library: https://github.com/jborean93/pypsrp/tree/master/pypsrp

The author of pysprp also wrote a fantastic blog post going into detail about the protocol and the journey of writing that library:

• https://www.bloggingforlogging.com/2018/08/14/powershell-remoting-on-python/

pypsrp is what powers the psrp connection plugin in Ansible.