Tools for working with ACS service identities, including diagnostics for when things for wrong (powershell, ACS management tools)


First, we use testconnectivityanalyzer to see that at least our first level webservice is up running, and can be activate.

image

https://testconnectivity.microsoft.com/

Then we use a command line tool to make and modify the service principal records in ACS:

http://code.msdn.microsoft.com/Windows-Azure-AD-Access-0dcde385

image

image

image

image

To test the ws-trust service that leverages an ACS service princiupals record (storing the username/password sent to the service in a username token), we use powershell and fiddler”

using http://formatmysourcecode.blogspot.com/

function Invoke-SSOPORTALSecurityTokenRequest {
param(
    [Parameter()][ValidateSet('Windows','UserName')] $ClientCredentialType,
    [Parameter()] $ADFSBaseUri,
    [Parameter()] $AppliesTo,
    [Parameter()] $Username,
    [Parameter()] $Password,
    [Parameter()] $Domain,
    [Parameter()][ValidateSet('1','2')] $SAMLVersion = 1,
    [Parameter()][ValidateSet('Token','RSTR')] $OutputType = 'Token',
    [Parameter()][Switch] $IgnoreCertificateErrors
)

$ADFSTrustPath = 'Issuer.svc/office365/OTHER/RAPA/8/BARS'
$SecurityMode = 'TransportWithMessageCredential'
$ADFSBaseUri = $ADFSBaseUri.TrimEnd('/')

switch ($ClientCredentialType) {
    'Windows' {
        $MessageCredential = 'Windows'
        $ADFSTrustEndpoint = 'windowsmixed'
    }
    'UserName' {
        $MessageCredential = 'UserName'
        $ADFSTrustEndpoint = ''
    }
}

$Credential = New-Object System.Net.NetworkCredential -ArgumentList $Username,$Password,$Domain

Add-Type -AssemblyName 'System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'
Add-Type -AssemblyName 'System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089'

$Binding = New-Object -TypeName System.ServiceModel.WS2007HttpBinding -ArgumentList ([System.ServiceModel.SecurityMode] $SecurityMode)
$Binding.Security.Message.EstablishSecurityContext = $false
$Binding.Security.Message.ClientCredentialType = $MessageCredential
$Binding.Security.Transport.ClientCredentialType = 'None'

$EP = New-Object -TypeName System.ServiceModel.EndpointAddress -ArgumentList ('{0}/{1}' -f $ADFSBaseUri,$ADFSTrustPath)

$WSTrustChannelFactory = New-Object -TypeName System.ServiceModel.Security.WSTrustChannelFactory -ArgumentList $Binding, $EP
$WSTrustChannelFactory.TrustVersion = [System.ServiceModel.Security.TrustVersion]::WSTrustFeb2005
$WSTrustChannelFactory.Credentials.Windows.ClientCredential = $Credential
$WSTrustChannelFactory.Credentials.UserName.UserName = $Credential.UserName
$WSTrustChannelFactory.Credentials.UserName.Password = $Credential.Password
$Channel = $WSTrustChannelFactory.CreateChannel()

$TokenType = @{
    SAML11 = 'urn:oasis:names:tc:SAML:1.0:assertion'
    SAML2 = 'urn:oasis:names:tc:SAML:2.0:assertion'
}

$RST = New-Object -TypeName System.IdentityModel.Protocols.WSTrust.RequestSecurityToken -Property @{
    RequestType   = [System.IdentityModel.Protocols.WSTrust.RequestTypes]::Issue
    AppliesTo     = $AppliesTo
    KeyType       = [System.IdentityModel.Protocols.WSTrust.KeyTypes]::Bearer
    TokenType     = if ($SAMLVersion -eq '2') {$TokenType.SAML2} else {$TokenType.SAML11}
}
$RSTR = New-Object -TypeName System.IdentityModel.Protocols.WSTrust.RequestSecurityTokenResponse

try {
    $OriginalCallback = [System.Net.ServicePointManager]::ServerCertificateValidationCallback
    if ($IgnoreCertificateErrors.IsPresent) {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {return $true}}
    $Token = $Channel.Issue($RST, [ref] $RSTR)
}
finally {
    [System.Net.ServicePointManager]::ServerCertificateValidationCallback = $OriginalCallback
}

if ($OutputType -eq 'RSTR') {
    Write-Output -InputObject $RSTR
} else {
    Write-Output -InputObject $Token
}

}

Invoke-SSOPORTALSecurityTokenRequest `
    -ClientCredentialType UserName `
    -ADFSBaseUri https://ssoservices.rapmlsqa.com `
    -AppliesTo https://activedirectory.windowsazure.com `
    -UserName 'andy' `
    -Password '1234' `
    -Domain 'PORTAL' `
    -OutputType RSTR `
    -SAMLVersion 1 `
    -IgnoreCertificateErrors

 

it’s the fiddler write spying that’s shows us the inner exception:

  1. image

 

This means, over VPN, we have to recycle the app pool: using http:/recycle.rapattoni.com

image

Shows up at a positive test result, now:

image

Advertisements

About home_pw@msn.com

Computer Programmer who often does network administration with focus on security servers. Very strong in Microsoft Azure cloud!
This entry was posted in AAD, ADFS, Azure AD. Bookmark the permalink.