We have an ADFS 2.0 Environment that is used to federate our Active Directory domain with Office 365.
Recently we had an issue where the cluster stopped responding which in turn broke email/calendar access for all of our users. As we don't have any monitoring for ADFS currently I am trying to write a PowerShell script that will periodically attempt to authenticate to our ADFS cluster and get a valid token similar to the SSO test at testexchangeconnectivity.com works.
It appears that the token is actually issued by
/adfs/services/trust/2005/usernamemixed
but whenever I try to run invoke-webrequest or new-Webservice proxy against this URI and provide local AD credentials I get a 400 Bad Request error.
What do I have to do in order to properly request a token from this endpoint?
Request ID Token and Access Token. To initially sign the user into your app, you can send an OpenID Connect authentication request and get id_token and access token from the AD FS endpoint. The Application (client) ID that the AD FS assigned to your app. Must include id_token for OpenID Connect sign-in.
Optionally, you can check the current signing certificates in AD FS. To do so, run the following command: Get-ADFSCertificate –CertificateType token-signing . Look at the command output to see the Not After dates of any certificates listed.
You can obtain a token-signing certificate by requesting one from an enterprise CA or a public CA or by creating a self-signed certificate. A private key from one token-signing certificate is shared among all the federation servers in a farm.
This script should get you on your way http://gallery.technet.microsoft.com/scriptcenter/Invoke-ADFSSecurityTokenReq-09e9c90c You will need .Net Framework 4.5
You could also simulate an ADFS logon to Office 365 using the Connect-MSOL cmdlet to connect to a powershell session - if you use an ADFS account an ADFS login will occur.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With