I have an aws vm with adfs, adds, adcs, iis installed. The vm itself have the Domain Controller installed. I am just trying to test my feature, which will accept ADFS token. So, all in I have created a relying party trust on ADFS. Added a new attribute group similar to what we see in this blog:
https://jpassing.com/2021/10/18/obtaining-adfs-access-tokens-using-the-client-credentials-grant-and-integrated-windows-authentication/
However, the authentication from powershell does not work for me. Here are the fiddler information logs:
First call to get kerberos token
POST https://xxxxxxx.samlencryption.com/adfs/oauth2/token/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.14393.4583
Content-Type: application/x-www-form-urlencoded
Host: xxxxxxxxx.samlencryption.com
Content-Length: 171
Connection: Keep-Alive
scope=openid&grant_type=client_credentials&resource=http%3A%2F%2Fpowershell-test-api.samlencryption.com%2F&client_id=powershell-test&use_windows_client_authentication=true
Next call:
POST https://xxxxxxx.samlencryption.com/adfs/oauth2/token/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.14393.4583
Content-Type: application/x-www-form-urlencoded
Authorization: Negotiate YIGHBgYrBgEFBQK.......
Host: xxxxxxxx.samlencryption.com
Content-Length: 0
The second call does not pass the scope data, which results in a failure. If I manually add the scope data from the fiddler request, it works and I am able to get the access token. Do you know or can you spot any issues with our setup?
Thanks in advance!