Friday, January 12, 2018

Certificates : Finding a thumbprint and using PowerShell

I always use mmc as the wizard to manage certificates but I needed to do some certificate work and I wondered if there was a way of automating it.

Turns out you can with PowerShell.

Instead of \cd to a drive, you go to the certificate store with:

cd CERT:\\


PS Cert:\> dir

Location   : CurrentUser
StoreNames : {ACRS, SmartCardRoot, Root, Trust...}

Location   : LocalMachine
StoreNames : {TrustedPublisher, ClientAuthIssuer, Remote Desktop, Root...}

Then we can do things like:

dir .\\CurrentUser\My

dir .\\LocalMachine\My

which gives a list:

PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\My

Thumbprint                          Subject
----------                                -------

If we want to see the structure, we can do:

PS Cert:\currentuser> get-childitem

which gives:

Name : ACRS

Name : SmartCardRoot

Name : Root

Name : Trust

Name : AuthRoot

Name : CA

Name : UserDS

Name : Disallowed

Name : My

Name : TrustedPeople

Name : TrustedPublisher

Name : ClientAuthIssuer

If we want to find a certificate with a particular thumbprint, we can use:

Get-ChildItem -Path 'thumbprint' -recurs

which gives:

PS Cert:\> Get-ChildItem -Path 'CD...72' -recurse

PSParentPath: Microsoft.PowerShell.Security\Certificate::CurrentUser\Root

Thumbprint                                Subject
----------                                -------
CD...72  CN=Microsoft Root Certificate Authority, DC=microsoft, DC=com

PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\Root

Thumbprint                                Subject
----------                                -------
CD...72  CN=Microsoft Root Certificate Authority, DC=microsoft, DC=com

or we can get a list:

Get-ChildItem -Path 'thumbprint' -recurse | Format-List -Property *

which gives:

PSPath                   : Microsoft.PowerShell.Security\Certificate::CurrentUser\Root\CD...72
PSParentPath             : Microsoft.PowerShell.Security\Certificate::CurrentUser\Root
PSChildName              : CD...72
PSDrive                  : Cert
PSProvider               : Microsoft.PowerShell.Security\Certificate
PSIsContainer            : False
EnhancedKeyUsageList     : {}
DnsNameList              : {Microsoft Root Certificate Authority}
SendAsTrustedIssuer      : False
EnrollmentPolicyEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
EnrollmentServerEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
PolicyId                 :
Archived                 : False
Extensions               : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid,
                           System.Security.Cryptography.Oid, System.Security.Cryptography.Oid}
FriendlyName             : Microsoft Root Certificate Authority
IssuerName               : System.Security.Cryptography.X509Certificates.X500DistinguishedName
NotAfter                 : 10/05/2031 11:28:13 AM
NotBefore                : 10/05/2011 11:19:22 AM
HasPrivateKey            : False
PrivateKey               :
PublicKey                : System.Security.Cryptography.X509Certificates.PublicKey
RawData                  : {48, ... 153}
SerialNumber             : 79...65
SubjectName              : System.Security.Cryptography.X509Certificates.X500DistinguishedName
SignatureAlgorithm       : System.Security.Cryptography.Oid
Thumbprint               : CD...72
Version                  : 3
Handle                   : 25...92
Issuer                   : CN=Microsoft Root Certificate Authority, DC=microsoft, DC=com

Subject                  : CN=Microsoft Root Certificate Authority, DC=microsoft, DC=com


Monday, January 08, 2018

stackoverflow : Privileges

Stackoverflow has levels of privilege. As your reputation goes up, you get to be able to do more.

The top level is 25,000 that I just achieved.

My current ranking is 4242 out of the 8 million odd that have used stackoverflow.

So I need a new goal :-).

I decided that my next goal is to answer 1,000 questions.

Coincidentally, my stats show that I clocked up 750,000 page views as well.



Friday, December 08, 2017

ADFS : InvalidContextException: MSIS7001

The full error message is:

Microsoft.IdentityServer.Web.CookieManagers.InvalidContextException: MSIS7001: The passive protocol context was not found or not valid. If the context was stored in cookies, the cookies that were presented by the client were not valid. Ensure that the client browser is configured to accept cookies from this website and retry this request.

I've often wondered what this means?

Then I had a issue which I could repeat and with the help of @Pierre, I sorted it out.

My path was:

Application --> ADFS --> SAML --> Another IDP -->  Another IDP

The request was:


This results in:

Set-Cookie:; path=/adfs; HttpOnly; Secure

Notice that the RelayState is added to the name of the cookie.

Somewhere upstream, the RelayState changed.

When the response comes back to ADFS, ADFS checks for a cookie with the new RelayState name that doesn't exist.

Hence the error.


Wednesday, November 22, 2017

Fiddler : Some tips

Doing some Fiddler traces recently and these tips helped me.

Modern browsers are far stricter about security and using Fiddler sometimes blocks a process that works fine without.

These settings help:

Also, sometimes you can't get round an issue.

What you can do is use IE's Developer Tools (F12).

Network tab - "Export captured traffic".

Then import the saved file into Fiddler.

If you use Chrome, you can save the trace as a .har file.

You can "Import Sessions" on Fiddler and then select  "HTTPArchive".


Monday, November 20, 2017


This tool has been extended with more scripts and tooling.

For the log tools:

"AdfsEventsModule Overview

This module provides tools for gathering related ADFS events from the security, admin, and debug logs, across multiple servers. This tool also allows the user to reconstruct the HTTP request/response headers from the logs.

Cmdlets in AdfsEventsModule

This module exposes two cmdlets:




The detailed parameters for each are provided below.

The Get-ADFSEvents cmdlet is used to aggregate events by correlation ID, while the Write-ADFSEventsSummary cmdlet is used to generate a PowerShell Table of only the most relevant logging information from the events that are piped in."

For the Diagnostics,  this downloads a PowerShell module that you need to import:

import-module -name .\ADFSDiagnostics.psm1 -verbose
VERBOSE: Loading module from path 'C:\junk\ADFSDiagnostics.psm1'.
VERBOSE: Importing function 'Get-AdfsServerConfiguration'.
VERBOSE: Importing function 'Get-AdfsServerTrace'.
VERBOSE: Importing function 'Get-AdfsSystemInformation'.
VERBOSE: Importing function 'Get-AdfsVersionEx'.
VERBOSE: Importing function 'Receive-AdfsServerTrace'.
VERBOSE: Importing function 'Set-ADFSDiagTestMode'.
VERBOSE: Importing function 'Start-AdfsServerTrace'.
VERBOSE: Importing function 'Test-AdfsServerHealth'.
VERBOSE: Importing function 'Test-AdfsServerHealthSingleCheck'.
VERBOSE: Importing function 'Test-AdfsServerToken'.

Some examples:


OSVersion                 : 10.0.14393.0
OSName                    : Microsoft Windows Server 2016 Datacenter
MachineDomain             : dev.local
IPAddress                 :
TimeZone                  : Coordinated Universal Time
LastRebootTime            : 10/24/2017 6:49:22 PM
MachineType               : Virtual Machine
NumberOfLogicalProcessors : 1
MaxClockSpeed             : 2394
PhsicalMemory             : 1792
Hosts                     : {}
Hotfixes                  : {KB4023834, KB3199986, KB4013418, KB4035631...}
AdfsWmiProperties         : {ConfigurationDatabaseConnectionString, ConfigurationServiceAddress,
SslBindings               : {System.Collections.Hashtable, System.Collections.Hashtable, System.Collections.Hashtable,
AdfssrvServiceAccount     : DEV\xxx
AdfsVersion               : 3.0
Role                      : STS
Top10ProcessesByMemory    : {@{Name=Microsoft.Sirona.OMS.Security.BaselineAssessment; MemoryInMB=80.625;
                            @{Name=Microsoft.Identity.AadConnect.Health.AadSync.Host; MemoryInMB=76.25390625;
                            MemoryPercentOfTotal=4.25524030412946}, @{Name=miiserver; MemoryInMB=57.1640625;
                            MemoryPercentOfTotal=3.18995884486607}, @{Name=MsMpEng; MemoryInMB=47.8046875;
AdHealthAgentInformation  : AdHealthAgentInformation


ADFSSyncProperties                        : Microsoft.IdentityServer.Management.Resources.SyncPropertiesBase
ADFSAttributeStore                        : {Microsoft.IdentityServer.Management.Resources.AttributeStore,
ADFSCertificate                           : {@{Certificate=[Subject]


                                            [Serial Number]

                                            [Not Before]
                                              8/21/2017 12:00:00 PM

                                            [Not After]
                                              8/28/2027 12:00:00 PM

                                            ; CertificateType=Service-Communications; IsPrimary=True; StoreName=My;
                                              CN=ADFS Encryption - xxx

                                              CN=ADFS Encryption - xxx

                                            [Serial Number]

                                            [Not Before]
                                              11/2/2017 8:31:02 PM

                                            [Not After]
                                              11/2/2018 8:31:02 PM

                                            ; CertificateType=Token-Decrypting; IsPrimary=True; StoreName=My;
                                              CN=ADFS Signing - xxx

                                              CN=ADFS Signing - xxx

                                            [Serial Number]

                                            [Not Before]
                                              11/2/2017 8:31:14 PM

                                            [Not After]
                                              11/2/2018 8:31:14 PM

                                            ; CertificateType=Token-Signing; IsPrimary=True; StoreName=My;
                                              CN=ADFS Encryption - xxx

                                              CN=ADFS Encryption - xxx

                                            [Serial Number]

                                            [Not Before]
                                              11/22/2016 7:34:42 PM

                                            [Not After]
                                              11/22/2017 7:34:42 PM

                                            ; CertificateType=Token-Decrypting; IsPrimary=False; StoreName=My;
ADFSClaimDescription                      : {Microsoft.IdentityServer.Management.Resources.ClaimDescription,
ADFSEndpoint                              : {Microsoft.IdentityServer.Management.Resources.Endpoint,
ADFSProperties                            : Microsoft.IdentityServer.Management.Resources.ServiceProperties
ADFSRelyingPartyTrustCount                : 4
ADFSClaimsProviderTrustCount              : 6
ADFSConfigurationDatabaseConnectionString : Data Source=np:\\.\pipe\microsoft##wid\tsql\query;Initial
                                            Catalog=AdfsConfigurationV3;Integrated Security=True
AdfssrvServiceAccount                     : DEV\xxx
AdfsVersion                               : 3.0
AadTrustStatus                            : Not Configured
ADFSAdditionalAuthenticationRule          :
ADFSClient                                : {Microsoft.IdentityServer.Management.Resources.AdfsClient,
ADFSGlobalAuthenticationPolicy            : Microsoft.IdentityServer.Management.Resources.AdfsGlobalAuthenticationPolic
ADFSDeviceRegistration                    : Microsoft.IdentityServer.Management.Resources.DeviceRegistrationServiceObject

Test-AdfsServerHealth | ft Name,Result  -AutoSize

Name                                                         Result
----                                                         ------
IsAdfsRunning                                                  Pass
IsWidRunning                                                   Pass
PingFederationMetadata                                         Pass
CheckAdfsSslBindings                                           Pass
Test-Certificate-Token-Decrypting-Primary-NotFoundInStore    NotRun
Test-Certificate-Token-Decrypting-Primary-IsSelfSigned       NotRun
Test-Certificate-Token-Decrypting-Primary-PrivateKeyAbsent   NotRun
Test-Certificate-Token-Decrypting-Primary-Expired              Pass
Test-Certificate-Token-Decrypting-Primary-Revoked              Pass
Test-Certificate-Token-Decrypting-Primary-AboutToExpire      NotRun
Test-Certificate-Token-Signing-Primary-NotFoundInStore       NotRun
Test-Certificate-Token-Signing-Primary-IsSelfSigned          NotRun
Test-Certificate-Token-Signing-Primary-PrivateKeyAbsent      NotRun
Test-Certificate-Token-Signing-Primary-Expired                 Pass
Test-Certificate-Token-Signing-Primary-Revoked                 Pass
Test-Certificate-Token-Signing-Primary-AboutToExpire         NotRun
Test-Certificate-SSL-Primary-NotFoundInStore                   Pass
Test-Certificate-SSL-Primary-IsSelfSigned                      Fail
Test-Certificate-SSL-Primary-PrivateKeyAbsent                  Pass
Test-Certificate-SSL-Primary-Expired                           Pass
Test-Certificate-SSL-Primary-Revoked                           Pass
Test-Certificate-SSL-Primary-AboutToExpire                     Pass
Test-Certificate-Token-Decrypting-Secondary-NotFoundInStore  NotRun
Test-Certificate-Token-Decrypting-Secondary-IsSelfSigned     NotRun
Test-Certificate-Token-Decrypting-Secondary-PrivateKeyAbsent NotRun
Test-Certificate-Token-Decrypting-Secondary-Expired            Pass
Test-Certificate-Token-Decrypting-Secondary-Revoked            Pass
Test-Certificate-Token-Decrypting-Secondary-AboutToExpire    NotRun
Test-Certificate-Token-Signing-Secondary-NotFoundInStore     NotRun
Test-Certificate-Token-Signing-Secondary-IsSelfSigned        NotRun
Test-Certificate-Token-Signing-Secondary-PrivateKeyAbsent    NotRun
Test-Certificate-Token-Signing-Secondary-Expired               Pass
Test-Certificate-Token-Signing-Secondary-Revoked               Pass
Test-Certificate-Token-Signing-Secondary-AboutToExpire       NotRun
CheckFarmDNSHostResolution                                     Pass
CheckDuplicateSPN                                              Pass
TestServiceAccountProperties                                   Pass
TestAppPoolIDMatchesServiceID                                NotRun
TestComputerNameEqFarmName                                     Pass
TestSSLUsingADFSPort                                         NotRun
TestSSLCertSubjectContainsADFSFarmName                         Pass
TestAdfsAuditPolicyEnabled                                     Fail
TestAdfsRequestToken                                           Pass
CheckOffice365Endpoints                                        Pass
TestADFSO365RelyingParty                                     NotRun
TestNtlmOnlySupportedClientAtProxyEnabled                      Fail

Test-AdfsServerHealth | where {$_.Result -eq "Fail"} | fl

Name             : Test-Certificate-SSL-Primary-IsSelfSigned
Result           : Fail
Detail           : SSL certificate with thumbprint 24...35 is self-signed.
Output           : {Thumbprint}
ExceptionMessage :

Name             : TestAdfsAuditPolicyEnabled
Result           : Fail
Detail           : Audits are not configured for Usage data collection : Expected 'Success and Failure', Actual='No
Output           : {StsAuditConfig, MachineAuditPolicy}
ExceptionMessage :

Name             : TestNtlmOnlySupportedClientAtProxyEnabled
Result           : Fail
Detail           : NtlmOnlySupportedClientAtProxy is disabled; extranet users can experience authentication failure.

Output           : {NtlmOnlySupportedClientAtProxy}
ExceptionMessage :

More examples here.


Wednesday, November 15, 2017

ADFS : ADFS 4.0 with SPA

This is for Server 2016 with a single page application.

There is a sample that shows how to do this but you will see many comments along the lines of "I can authenticate but when I call the API I get "Authorization has been denied for this request" ".

This error is typically invoked when either the "audience" or the "issuer" is wrong.

Once you have authenticated, look at the token you received under the "User" tab e.g.

Id_token content

Ensure these are the values configured for "Audience" and "Issuer" in the "appSettings".

They are case-sensitive!

The sample is a badly hacked Azure AD one and still has references to this all over the place.

It is also confusing because it refers to constructs like "tenant" which mean nothing in the ADFS world.

Also the clientID is a string (as in Azure AD) rather than a GIUD that is automatically generated for you when you create the application.

It needs to be rewritten to make it ADFS centric!

The other problem is that it uses implicit flow and there are contradictory articles that mention that you cannot get extra or custom claims with this flow because it would make the query string too long?

My understanding is that to get the custom claims, you need to do a POST whereas adal.js does a GET. This requires the claims to be in the URL which is not secure and may make the URL too long.

This is a restriction of adal.js; not a restriction of the protocol.

This post suggests that you can fix the problem by proxying the GET to a POST.

Also of interest is that using the identityserver oidc-client-js stack instead of adal.js does not have have this problem. But then you lose the goodness of ADAL.

Claims rules are a huge part of the advantage of ADFS. It's a pity that they can't be used in this scenario.


Monday, November 06, 2017

ADFS : Application Groups

ADFS 4.0 manages OpenID Connect / OAuth connections via the "Application Groups" folder.

There are three kinds:
  • Native application
  • Server application
  • Web API
which leads to the following combinations:
  • Native application accessing web API
  • Server application accessing Web API
Plus the odd one out:
  • Web browser accessing web application
The PowerShell cmdlets split into three separate commands:
  • Get-AdfsNativeClientApplication
  • Get-AdfsServerApplication
  • Get-AdfsWebApiApplication
So although you can create an application with a web API in one pass through the wizard, the separate components need to be accessed via PowerShell.



Name                       : MyApp  - Native application
Identifier                 : b2...27
ApplicationGroupIdentifier : MyApp
Description                :
Enabled                    : True
RedirectUri                : {https://blah}


ADUserPrincipalName                  :
ClientSecret                         : ********
JWTSigningCertificateRevocationCheck : None
JWTSigningKeys                       : {}
JWKSUri                              :
Name                                 : My server application
Identifier                           : 8e...44
ApplicationGroupIdentifier           : MyApp
Description                          :
Enabled                              : True
RedirectUri                          : {https://blah}


Name                                 : My Web API
Identifier                           : {https://blah/webapi}
AccessControlPolicyName              : Permit everyone
AccessControlPolicyParameters        :
AdditionalAuthenticationRules        :
AllowedAuthenticationClassReferences : {}
AllowedClientTypes                   : Public, Confidential
ApplicationGroupIdentifier           : MyApp
ApplicationGroupId                   : 12...56
AlwaysRequireAuthentication          : False
ClaimsProviderName                   : {}
DelegationAuthorizationRules         :
Enabled                              : True
ImpersonationAuthorizationRules      :
IssuanceAuthorizationRules           :
IssueOAuthRefreshTokensTo            : AllDevices
IssuanceTransformRules               : @RuleName = "All"
                                        => issue(claim = c);
NotBeforeSkew                        : 0
Description                          :
PublishedThroughProxy                : False
RefreshTokenProtectionEnabled        : False
RequestMFAFromClaimsProviders        : False
ResultantPolicy                      : RequireFreshAuthentication:False
                                         Permit everyone
TokenLifetime                        : 0

Plus we have the legacy cmdlets from ADFS 3.0:


RedirectUri                          : {ms-appx-web://Microsoft.AAD.BrokerPlugin}
Name                                 : Windows Logon Client
Description                          : Client for Microsoft Windows Logon
ClientId                             : 38...93b
BuiltIn                              : True
Enabled                              : True
ClientType                           : Public
ADUserPrincipalName                  :
ClientSecret                         :
JWTSigningCertificateRevocationCheck : None
JWTSigningKeys                       : {}
JWKSUri                              :

Just remember that the clientID is auto-generated when you create one of these entries and the secret key can only be viewed once in the wizard during creation.

Plus there was this question over on the forum around scope:

In an ADFS Application Group, add Client Application/Permitted Scope to Web API with PowerShell

Grant-AdfsApplicationPermission -ClientRoleIdentifier $clientAppIdGuid -ServerRoleIdentifier $relyingPartyIdentifier -ScopeNames $theScopesYouWantAssignedTo

And remember you can get all the commands by:

get-command *adfsclient*

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Cmdlet          Add-AdfsClient                               ADFS
Cmdlet          Disable-AdfsClient                           ADFS
Cmdlet          Enable-AdfsClient                            ADFS
Cmdlet          Get-AdfsClient                               ADFS
Cmdlet          Remove-AdfsClient                            ADFS
Cmdlet          Set-AdfsClient                               ADFS

get-command *adfsnativeclient*

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Cmdlet          Add-AdfsNativeClientApplication              ADFS
Cmdlet          Get-AdfsNativeClientApplication              ADFS
Cmdlet          Remove-AdfsNativeClientApplication           ADFS
Cmdlet          Set-AdfsNativeClientApplication              ADFS

get-command *adfsserver*

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Cmdlet          Add-AdfsServerApplication                    ADFS
Cmdlet          Get-AdfsServerApplication                    ADFS
Cmdlet          Remove-AdfsServerApplication                 ADFS
Cmdlet          Set-AdfsServerApplication                    ADFS

get-command *adfswebapi*

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Cmdlet          Add-AdfsWebApiApplication                    ADFS
Cmdlet          Get-AdfsWebApiApplication                    ADFS
Cmdlet          Remove-AdfsWebApiApplication                 ADFS
Cmdlet          Set-AdfsWebApiApplication                    ADFS

get-command *adfsapplication*

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Cmdlet          Disable-AdfsApplicationGroup                 ADFS
Cmdlet          Enable-AdfsApplicationGroup                  ADFS
Cmdlet          Get-AdfsApplicationGroup                     ADFS
Cmdlet          Get-AdfsApplicationPermission                ADFS
Cmdlet          Grant-AdfsApplicationPermission              ADFS
Cmdlet          New-AdfsApplicationGroup                     ADFS
Cmdlet          Remove-AdfsApplicationGroup                  ADFS
Cmdlet          Revoke-AdfsApplicationPermission             ADFS
Cmdlet          Set-AdfsApplicationGroup                     ADFS
Cmdlet          Set-AdfsApplicationPermission                ADFS


Monday, October 30, 2017

Visual Studio : Unable to connect to web server IIS Express

This is with VS 2017.

I was looking at a .NET Core project and wanted to change from http to https.

So under Properties / Debug, I checked the "Enable SSL" checkbox.

This changes the port so I then did a copy / replace of the old port to the new one and changed the URL to https e.g.

http://localhost:5000 became https://localhost:44326

Then I got "Unable to connect to web server IIS Express".

Consulted with Mr. Google.

The solution that worked for me was to:
  • Close the VS project
  • In File Explorer, navigate to the project and delete the entire ".vs" folder
  • Restart the project
  • Run as "Debug"
  • Works
Apparently, it has something to do with the "applicationhost.config" file.


Friday, October 27, 2017

Azure : Weird problem with OAuth timing

Came across a head-scratcher recently.

Using OpenID Connect / OAuth against Azure AD, authentication would always fail and then work if you retried two minutes later. Before that, retries would consistently fail.

WTF? What is the significance of two minutes?

Mr. Google to the rescue and came across a similar problem in SAML-P.

The problem here was that the two servers clocks were not synchronised. The token has start / end parameters for the validity of the token and any time outside of these is considered invalid and hence the token is rejected. (You can fix this via the skew parameter),

The OAuth JWT token has similar fields viz.

iat - Issued at
nbf - Not before

Checking the respective server's times, this would indeed the problem :-)

And you guessed it - the server's times were two minutes apart!


Wednesday, October 18, 2017

IdentityServer : WS-Fed metadata imported into ADFS

I've been looking at Identity server 4 (idsrv4) just to have a play with it.

This runs on .NET Core which I something else I need to get up to speed on.

There is also a WS-Fed plug-in which I got working and tried to hook up to ADFS as an exercise.

The metadata endpoint is:


and when I tried to import this into ADFS, I got the normal:

"Metadata contains some features not supported by ADFS" warning.

Now this could be because the metadata contains a SAML profile that ADFS doesn't support - PAOS being an example.

But 999 out of 1000 times, it's because the endpoints are "http" not "https".

Looking at the metadata, this is indeed the case.

This means that although the entry is added to ADFS, it has no endpoints so it will never work.

You can't just edit the metadata because it's signed and you'll get a signing error when you try and import the updated file.

You can delete the whole "Signature" section in the XML if you want. Do this at your own risk - normal best practice security applies :-).

The other way is to update the metadata when it's generated. There is no metadata file - it's dynamically generated every time.

You can do this in the "Properties".

Select the "Enable SSL" check box. IIS Express generates a new endpoint as above so now you have to replace all the instances of:


with the https endpoint as above.

This also means that you need to change this address in any of the client samples.

The new metadata imports without issues.


Wednesday, October 11, 2017

ADFS : PowerShell cmdlet - parameter PolicyMetadata

Another question on the forum around the format of PowerShell parameters.

This one was around PolicyMetadata.

Get-AdfsAccessControlPolicy -Name "Demo"

Name           : Demo
Identifier     : Demo
IsBuiltIn      : False
RpUsageCount   : 0
LastUpdateTime : 10/10/2017 7:22:00 PM
Description    :
PolicyMetadata : RequireFreshAuthentication:False
                   Permit everyone
AssignedTo     : {} 

Now if you copy / paste the metadata into a file and then run:

New-AdfsAccessControlPolicy -Name "DemoOne" -PolicyMetadataFile c:\Filename

you get all kinds of errors.

Looking at the errors e.g. "Root error" made me think that the format wasn't JSON, rather XML.

Which means that it is almost impossible to guess the element names etc.

So Mr. Google to the rescue and a long time later, I came across:

(Get-AdfsAccessControlPolicy -Name "Permit everyone").PolicyMetadata | fl *

which displays:

IsParameterized : False
Serialized      : <PolicyMetadata xmlns:i=""
                          <Condition i:type="AlwaysCondition">
                            <Values />
Summary         : RequireFreshAuthentication:False
                    Permit everyone
ExtensionData   : System.Runtime.Serialization.ExtensionDataObject

Putting that into a file e.g.

<?xml version="1.0" encoding="UTF-8"?>
<PolicyMetadata xmlns:i=""
                    <Condition i:type="AlwaysCondition">
                        <Values />

and then running the command works!

I suggest running:


which displays them all and then look at the XML formats to get some hints as to the XML format.


Saturday, October 07, 2017

ADFS : PowerShell cmdlet - parameter is an array

Over on the forum, there was a question around a parameter in the cmdlet that accepts multiple options as an array i.e.

"-RedirectUriSpecifies an array of redirection URIs for the OAuth 2.0 client to register with AD FS".

The question was around the format of the array since that is not specified.

Looking at another example:

Set-AdfsRelyingPartyTrust -TargetName claimapp -ClaimsProviderName @("Fabrikam","Active Directory")

the array is of the form:

@("Fabrikam","Active Directory")