Need help Integrated Windows Authentication to login to adfs

sunny shah 1 Reputation point
2022-03-30T20:56:14.92+00:00

I have an aws vm with adfs, adds, adcs, iis installed. The vm itself have the Domain Controller installed. I am just trying to test my feature, which will accept ADFS token. So, all in I have created a relying party trust on ADFS. Added a new attribute group similar to what we see in this blog:
https://jpassing.com/2021/10/18/obtaining-adfs-access-tokens-using-the-client-credentials-grant-and-integrated-windows-authentication/

However, the authentication from powershell does not work for me. Here are the fiddler information logs:

First call to get kerberos token
POST https://xxxxxxx.samlencryption.com/adfs/oauth2/token/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.14393.4583
Content-Type: application/x-www-form-urlencoded
Host: xxxxxxxxx.samlencryption.com
Content-Length: 171
Connection: Keep-Alive
scope=openid&grant_type=client_credentials&resource=http%3A%2F%2Fpowershell-test-api.samlencryption.com%2F&client_id=powershell-test&use_windows_client_authentication=true

Next call:

POST https://xxxxxxx.samlencryption.com/adfs/oauth2/token/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.14393.4583
Content-Type: application/x-www-form-urlencoded
Authorization: Negotiate YIGHBgYrBgEFBQK.......
Host: xxxxxxxx.samlencryption.com
Content-Length: 0

The second call does not pass the scope data, which results in a failure. If I manually add the scope data from the fiddler request, it works and I am able to get the access token. Do you know or can you spot any issues with our setup?

Thanks in advance!

Microsoft Authenticator
Microsoft Authenticator
A Microsoft app for iOS and Android devices that enables authentication with two-factor verification, phone sign-in, and code generation.
6,812 questions
Active Directory Federation Services
Active Directory Federation Services
An Active Directory technology that provides single-sign-on functionality by securely sharing digital identity and entitlement rights across security and enterprise boundaries.
1,259 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,696 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. billvo 0 Reputation points
    2023-05-03T14:51:10.99+00:00

    I also followed Johannes procedure as well. My first call receives a 401 response. My second call has the same body (form content) as the first call.

    You apparently got the 401 also, so that suggests that WIASupportedUserAgents is correct.

    It seems that Invoke-RestMethod understands the 401 response but fails to re-send the body.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.