Need help Integrated Windows Authentication to login to adfs

Question

I have an aws vm with adfs, adds, adcs, iis installed. The vm itself have the Domain Controller installed. I am just trying to test my feature, which will accept ADFS token. So, all in I have created a relying party trust on ADFS. Added a new attribute group similar to what we see in this blog:
https://jpassing.com/2021/10/18/obtaining-adfs-access-tokens-using-the-client-credentials-grant-and-integrated-windows-authentication/

However, the authentication from powershell does not work for me. Here are the fiddler information logs:

First call to get kerberos token
POST https://xxxxxxx.samlencryption.com/adfs/oauth2/token/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.14393.4583
Content-Type: application/x-www-form-urlencoded
Host: xxxxxxxxx.samlencryption.com
Content-Length: 171
Connection: Keep-Alive
scope=openid&grant_type=client_credentials&resource=http%3A%2F%2Fpowershell-test-api.samlencryption.com%2F&client_id=powershell-test&use_windows_client_authentication=true

Next call:

POST https://xxxxxxx.samlencryption.com/adfs/oauth2/token/ HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.14393.4583
Content-Type: application/x-www-form-urlencoded
Authorization: Negotiate YIGHBgYrBgEFBQK.......
Host: xxxxxxxx.samlencryption.com
Content-Length: 0

The second call does not pass the scope data, which results in a failure. If I manually add the scope data from the fiddler request, it works and I am able to get the access token. Do you know or can you spot any issues with our setup?

Thanks in advance!

Answer 1

I also followed Johannes procedure as well. My first call receives a 401 response. My second call has the same body (form content) as the first call.

You apparently got the 401 also, so that suggests that WIASupportedUserAgents is correct.

It seems that Invoke-RestMethod understands the 401 response but fails to re-send the body.