Need help Integrated Windows Authentication to login to adfs

sunny shah 1 Reputation point
2022-03-30T20:56:14.92+00:00

I have an aws vm with adfs, adds, adcs, iis installed. The vm itself have the Domain Controller installed. I am just trying to test my feature, which will accept ADFS token. So, all in I have created a relying party trust on ADFS. Added a new attribute group similar to what we see in this blog:
https://jpassing.com/2021/10/18/obtaining-adfs-access-tokens-using-the-client-credentials-grant-and-integrated-windows-authentication/

However, the authentication from powershell does not work for me. Here are the fiddler information logs:

First call to get kerberos token
POST https://xxxxxxx.samlencryption.com/adfs/oauth2/token/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.14393.4583
Content-Type: application/x-www-form-urlencoded
Host: xxxxxxxxx.samlencryption.com
Content-Length: 171
Connection: Keep-Alive
scope=openid&grant_type=client_credentials&resource=http%3A%2F%2Fpowershell-test-api.samlencryption.com%2F&client_id=powershell-test&use_windows_client_authentication=true

Next call:

POST https://xxxxxxx.samlencryption.com/adfs/oauth2/token/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.14393.4583
Content-Type: application/x-www-form-urlencoded
Authorization: Negotiate YIGHBgYrBgEFBQK.......
Host: xxxxxxxx.samlencryption.com
Content-Length: 0

The second call does not pass the scope data, which results in a failure. If I manually add the scope data from the fiddler request, it works and I am able to get the access token. Do you know or can you spot any issues with our setup?

Thanks in advance!

Microsoft Security | Active Directory Federation Services
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Authenticator
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. billvo 0 Reputation points
    2023-05-03T14:51:10.99+00:00

    I also followed Johannes procedure as well. My first call receives a 401 response. My second call has the same body (form content) as the first call.

    You apparently got the 401 also, so that suggests that WIASupportedUserAgents is correct.

    It seems that Invoke-RestMethod understands the 401 response but fails to re-send the body.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.