15

We have an ADFS 2.0 Environment that is used to federate our Active Directory domain with Office 365.

Recently we had an issue where the cluster stopped responding which in turn broke email/calendar access for all of our users. As we don't have any monitoring for ADFS currently I am trying to write a PowerShell script that will periodically attempt to authenticate to our ADFS cluster and get a valid token similar to the SSO test at testexchangeconnectivity.com works.

It appears that the token is actually issued by

/adfs/services/trust/2005/usernamemixed

but whenever I try to run invoke-webrequest or new-Webservice proxy against this URI and provide local AD credentials I get a 400 Bad Request error.

What do I have to do in order to properly request a token from this endpoint?

4

3 回答 3

3

这个脚本应该让你 上路 http://gallery.technet.microsoft.com/scriptcenter/Invoke-ADFSSecurityTokenReq-09e9c90c 你需要.Net Framework 4.5

您还可以使用 Connect-MSOL cmdlet 模拟 ADFS 登录到 Office 365 以连接到 powershell 会话 - 如果您使用 ADFS 帐户,则会发生 ADFS 登录。

于 2013-04-01T11:42:53.870 回答
2

我正在开发一个使用 WS-Federation 和 WS-Trust 进行联合身份验证的产品。我相信您的案例是我们工作流程的一部分。

多年来,我针对我们基于 SOAP 的 API 开发了 PowerShell 自动化,并且在某个时候,我将这些知识整合到图库中提供的WcfPS模块中。

该模块的代码是开源的,尽管它在脚本中,但它在很大程度上依赖于 .net 框架类和来自System.ServiceModel和程序集的System.IdentityModel程序集。我提到这一点是因为这些程序集中的大多数 api 在 .NET 标准 2 中不可用,因此该模块很遗憾无法在非 Windows 操作系统中运行。您还可以在我的文章WCFPS-PowerShell 模块中阅读有关它的更多信息,以使用 SOAP 端点。

这是一个示例,您可以根据您的服务提供商要求和依赖方配置发布对称和不记名令牌。该代码需要对联合安全流程、设置和术语有基本的了解。

# Define the ADFS MEX uri 
$adfsMexUri="https://adfs.example.com/adfs/services/trust/mex"

#region Define authentication endpoints. One for windows and one with username/password
$windowsMixed13AuthenticationEndpoint="https://adfs.example.com/adfs/services/trust/13/windowsmixed"
$usernamePasswordMixed13AuthenticationEndpoint="https://adfs.example.com/adfs/services/trust/13/usernamemixed"
#endregion

#region Define service providers for which we want to issue a symmetric and a bearer token respectively
# Symmatric is for SOAP, WS-Trust
# Bearer is for Web, WS-Federation
$soapServiceProviderAppliesTo="https://myserviceprovider/Soap/"
$webServiceProviderAppliesTo="https://myserviceprovider/Web/"
#endregion

# Parse the MEX and locate the service endpoint
$issuerImporter=New-WcfWsdlImporter -Endpoint $adfsMexUri

#region Issue tokens with windows authentications
$issuerEndpoint=$issuerImporter | New-WcfServiceEndpoint -Endpoint $windowsMixed13AuthenticationEndpoint
$soapToken=New-SecurityToken -Endpoint $issuerEndpoint -AppliesTo $soapServiceProviderAppliesTo -Symmetric
$webToken=New-SecurityToken -Endpoint $issuerEndpoint -AppliesTo $webServiceProviderAppliesTo -Bearer  
#endregion

#region Issue tokens with username/password credentials
$credential=Get-Credential
$issuerEndpoint=$issuerImporter | New-WcfServiceEndpoint -Endpoint $usernamePasswordMixed13AuthenticationEndpoint
$soapToken=New-SecurityToken -Endpoint $issuerEndpoint -Credential $credential -AppliesTo $soapServiceProviderAppliesTo -Symmetric
$webToken=New-SecurityToken -Endpoint $issuerEndpoint -Credential $credential -AppliesTo $webServiceProviderAppliesTo -Bearer    
#endregion
于 2017-10-03T07:28:01.927 回答
0

本质上,您使用 WSTrustChannelFactory,创建一个通道,并向其传递一个 RequestSecurityToken。

Leandro 有一个简洁的示例

如果您不使用 .NET 4.5,则需要安装 Windows Identity Foundation (WIF)。

于 2013-08-14T22:59:24.817 回答