问题
We have an ADFS 2.0 Environment that is used to federate our Active Directory domain with Office 365.
Recently we had an issue where the cluster stopped responding which in turn broke email/calendar access for all of our users. As we don't have any monitoring for ADFS currently I am trying to write a PowerShell script that will periodically attempt to authenticate to our ADFS cluster and get a valid token similar to the SSO test at testexchangeconnectivity.com works.
It appears that the token is actually issued by
/adfs/services/trust/2005/usernamemixed
but whenever I try to run invoke-webrequest or new-Webservice proxy against this URI and provide local AD credentials I get a 400 Bad Request error.
What do I have to do in order to properly request a token from this endpoint?
回答1:
This script should get you on your way http://gallery.technet.microsoft.com/scriptcenter/Invoke-ADFSSecurityTokenReq-09e9c90c You will need .Net Framework 4.5
You could also simulate an ADFS logon to Office 365 using the Connect-MSOL cmdlet to connect to a powershell session - if you use an ADFS account an ADFS login will occur.
回答2:
I work on a product that does federated authentication using WS-Federation and WS-Trust. I believe your case is part of our workflow.
Over the years, I've developed PowerShell automation against our SOAP based API, and at some point I consolidate that knowledge into WcfPS module available on the gallery.
The code for the module is open source and although its in script it depends heavily on .net framework classes and assemblies from the System.ServiceModel and System.IdentityModel assemblies. I mention this because most of the apis inside those assemblies are not available from .NET standard 2, so the module unfortunately will not work non windows operating systems. You can also read more about it in my post WCFPS - PowerShell module to work with SOAP endpoints.
This is an example where you can issue symmetric and bearer tokens depending on your service provider requirements and relying party configuration. The code requires basic understanding of federated security flow, setup and terminology.
# Define the ADFS MEX uri
$adfsMexUri="https://adfs.example.com/adfs/services/trust/mex"
#region Define authentication endpoints. One for windows and one with username/password
$windowsMixed13AuthenticationEndpoint="https://adfs.example.com/adfs/services/trust/13/windowsmixed"
$usernamePasswordMixed13AuthenticationEndpoint="https://adfs.example.com/adfs/services/trust/13/usernamemixed"
#endregion
#region Define service providers for which we want to issue a symmetric and a bearer token respectively
# Symmatric is for SOAP, WS-Trust
# Bearer is for Web, WS-Federation
$soapServiceProviderAppliesTo="https://myserviceprovider/Soap/"
$webServiceProviderAppliesTo="https://myserviceprovider/Web/"
#endregion
# Parse the MEX and locate the service endpoint
$issuerImporter=New-WcfWsdlImporter -Endpoint $adfsMexUri
#region Issue tokens with windows authentications
$issuerEndpoint=$issuerImporter | New-WcfServiceEndpoint -Endpoint $windowsMixed13AuthenticationEndpoint
$soapToken=New-SecurityToken -Endpoint $issuerEndpoint -AppliesTo $soapServiceProviderAppliesTo -Symmetric
$webToken=New-SecurityToken -Endpoint $issuerEndpoint -AppliesTo $webServiceProviderAppliesTo -Bearer
#endregion
#region Issue tokens with username/password credentials
$credential=Get-Credential
$issuerEndpoint=$issuerImporter | New-WcfServiceEndpoint -Endpoint $usernamePasswordMixed13AuthenticationEndpoint
$soapToken=New-SecurityToken -Endpoint $issuerEndpoint -Credential $credential -AppliesTo $soapServiceProviderAppliesTo -Symmetric
$webToken=New-SecurityToken -Endpoint $issuerEndpoint -Credential $credential -AppliesTo $webServiceProviderAppliesTo -Bearer
#endregion
回答3:
Essentially, you use the WSTrustChannelFactory, create a channel, and pass it a RequestSecurityToken.
Leandro has a nice, concise sample
You'll need to install Windows Identity Foundation (WIF) if you aren't using .NET 4.5.
来源:https://stackoverflow.com/questions/13518877/get-adfs-token-in-powershell