在Powershell中获取ADFS令牌 [英] Get ADFS Token in Powershell

问题描述

我们有一个ADFS 2.0环境，用于与Office 365联合Active Directory域.

We have an ADFS 2.0 Environment that is used to federate our Active Directory domain with Office 365.

最近，我们遇到了一个问题，即群集停止响应，这反过来又破坏了我们所有用户的电子邮件/日历访问权限.由于我们目前没有对ADFS的任何监视，因此我试图编写一个PowerShell脚本，该脚本将定期尝试对我们的ADFS集群进行身份验证，并获得类似于testexchangeconnectivity.com上的SSO测试的有效令牌.

Recently we had an issue where the cluster stopped responding which in turn broke email/calendar access for all of our users. As we don't have any monitoring for ADFS currently I am trying to write a PowerShell script that will periodically attempt to authenticate to our ADFS cluster and get a valid token similar to the SSO test at testexchangeconnectivity.com works.

看来令牌实际上是由

/adfs/services/trust/2005/usernamemixed

/adfs/services/trust/2005/usernamemixed

但是每当我尝试对此URI运行invoke-webrequest或new-Webservice代理并提供本地AD凭据时，都会收到400 Bad Request错误.

but whenever I try to run invoke-webrequest or new-Webservice proxy against this URI and provide local AD credentials I get a 400 Bad Request error.

要从此端点正确请求令牌，我该怎么做?

推荐答案

我致力于使用WS-Federation和WS-Trust进行联合身份验证的产品.我相信您的案件是我们工作流程的一部分.

I work on a product that does federated authentication using WS-Federation and WS-Trust. I believe your case is part of our workflow.

这些年来，我已经针对基于SOAP的API开发了PowerShell自动化，并在某个时候将这些知识整合到 WcfPS 模块.

Over the years, I've developed PowerShell automation against our SOAP based API, and at some point I consolidate that knowledge into WcfPS module available on the gallery.

该模块的代码是开源的，尽管在脚本中它在很大程度上取决于.net System.ServiceModel和System.IdentityModel程序集的框架类和程序集.我之所以这样说是因为.NET标准2无法提供这些程序集中的大多数api，因此该模块将无法在非Windows操作系统上运行.您还可以在我的帖子 WCFPS中阅读更多内容-可与SOAP端点一起使用的PowerShell模块.

The code for the module is open source and although its in script it depends heavily on .net framework classes and assemblies from the System.ServiceModel and System.IdentityModel assemblies. I mention this because most of the apis inside those assemblies are not available from .NET standard 2, so the module unfortunately will not work non windows operating systems. You can also read more about it in my post WCFPS - PowerShell module to work with SOAP endpoints.

这是一个示例，您可以根据服务提供商的要求和依赖方的配置来发行对称令牌和承载令牌.该代码要求对联邦安全流程，设置和术语有基本的了解.

This is an example where you can issue symmetric and bearer tokens depending on your service provider requirements and relying party configuration. The code requires basic understanding of federated security flow, setup and terminology.

# Define the ADFS MEX uri 
$adfsMexUri="https://adfs.example.com/adfs/services/trust/mex"

#region Define authentication endpoints. One for windows and one with username/password
$windowsMixed13AuthenticationEndpoint="https://adfs.example.com/adfs/services/trust/13/windowsmixed"
$usernamePasswordMixed13AuthenticationEndpoint="https://adfs.example.com/adfs/services/trust/13/usernamemixed"
#endregion

#region Define service providers for which we want to issue a symmetric and a bearer token respectively
# Symmatric is for SOAP, WS-Trust
# Bearer is for Web, WS-Federation
$soapServiceProviderAppliesTo="https://myserviceprovider/Soap/"
$webServiceProviderAppliesTo="https://myserviceprovider/Web/"
#endregion

# Parse the MEX and locate the service endpoint
$issuerImporter=New-WcfWsdlImporter -Endpoint $adfsMexUri

#region Issue tokens with windows authentications
$issuerEndpoint=$issuerImporter | New-WcfServiceEndpoint -Endpoint $windowsMixed13AuthenticationEndpoint
$soapToken=New-SecurityToken -Endpoint $issuerEndpoint -AppliesTo $soapServiceProviderAppliesTo -Symmetric
$webToken=New-SecurityToken -Endpoint $issuerEndpoint -AppliesTo $webServiceProviderAppliesTo -Bearer  
#endregion

#region Issue tokens with username/password credentials
$credential=Get-Credential
$issuerEndpoint=$issuerImporter | New-WcfServiceEndpoint -Endpoint $usernamePasswordMixed13AuthenticationEndpoint
$soapToken=New-SecurityToken -Endpoint $issuerEndpoint -Credential $credential -AppliesTo $soapServiceProviderAppliesTo -Symmetric
$webToken=New-SecurityToken -Endpoint $issuerEndpoint -Credential $credential -AppliesTo $webServiceProviderAppliesTo -Bearer    
#endregion

这篇关于在Powershell中获取ADFS令牌的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！