Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AdfsCertificate: TokenSigningCertificates Add-ADFSCertificate missing? #49

Open
patrikwm opened this issue Mar 23, 2021 · 2 comments
Open

AdfsCertificate: TokenSigningCertificates Add-ADFSCertificate missing? #49

patrikwm opened this issue Mar 23, 2021 · 2 comments
Labels
bug Something isn't working

Comments

@patrikwm
Copy link

patrikwm commented Mar 23, 2021
edited by X-Guardian
Loading

Details of the scenario you tried and the problem that is occurring

Problem occurs when configuring fresh ADFS farm and trying to set 'token-signing' certificate with AdfsCertificate.

I get the error: PS0006: The IsPrimary parameter must be specified when a Token-Encryption or Token-Signing certificate is specified. But the real problem is that the certificate is not added in the first place.

Verbose logs showing the problem

Code="VMExtensionProvisioningError" Message="VM has reported a failure when processing extension 'TestDSC'. Error message: \"DSC Configuration 'CreateRootDomain' completed with error(s). Following are the first few: PowerShell DSC resource MSFT_AdfsCertificate  failed to execute Set-TargetResource functionality with error message: System.InvalidOperationException: Error setting 'Token-Signing'. (CERERR002) ---> System.ArgumentException: PS0006: The IsPrimary parameter must be specified when a Token-Encryption or Token-Signing certificate is specified.
   at Microsoft.IdentityServer.Management.Commands.SetCertificateCommand.DoProcessing()
   at Microsoft.IdentityServer.Management.Commands.SetCertificateCommand.EndProcessingOverride()
   --- End of inner exception stack trace ---  PowerShell DSC resource MSFT_AdfsCertificate  failed to execute Set-TargetResource functionality with error message: System.InvalidOperationException: Error setting 'Token-Decrypting'. (CERERR002) ---> System.ArgumentException: PS0006: The IsPrimary parameter must be specified when a Token-Encryption or Token-Signing certificate is specified.
   at Microsoft.IdentityServer.Management.Commands.SetCertificateCommand.DoProcessing()
   at Microsoft.IdentityServer.Management.Commands.SetCertificateCommand.EndProcessingOverride()
   --- End of inner exception stack trace ---  The SendConfigurationApply function did not succeed. LCM failed to start desired state configuration manually.\"

Suggested solution to the issue

Add-AdfsCertificate before setting it.

Following command produces same error as in DSC.

PS C:\Users\adminuser> Set-AdfsCertificate -CertificateType "Token-Signing" -Thumbprint $thumbprint
Set-AdfsCertificate : PS0006: The IsPrimary parameter must be specified when a Token-Encryption or Token-Signing
certificate is specified.
At line:1 char:1
+ Set-AdfsCertificate -CertificateType "Token-Signing" -Thumbprint "7ED ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Set-AdfsCertificate], ArgumentException
    + FullyQualifiedErrorId : PS0006,Microsoft.IdentityServer.Management.Commands.SetCertificateCommand

Adding -IsPrimary to the command produces another error.

PS C:\Users\adminuser> Set-AdfsCertificate -CertificateType "Token-Signing" -Thumbprint $thumbprint -IsPrimary
Set-AdfsCertificate : PS0010: You must add the certificate before you can set it to be the primary certificate.
At line:1 char:1
+ Set-AdfsCertificate -CertificateType "Token-Signing" -Thumbprint "7ED ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Set-AdfsCertificate], ArgumentException
    + FullyQualifiedErrorId : PS0010,Microsoft.IdentityServer.Management.Commands.SetCertificateCommand

After adding the certificate as suggested in PS0010. It is possible to set the certificate to token-signing. So I think this is the part missing.

PS C:\Users\adminuser> Add-AdfsCertificate -CertificateType "Token-Signing" -Thumbprint $thumbprint
PS C:\Users\adminuser> Set-AdfsCertificate -CertificateType "Token-Signing" -Thumbprint $thumbprint -IsPrimary

The only place In the code I can find the Add-AdfsCertificate is in AdfsDsc/Tests/Unit/Stubs/AdfsStub.psm1

The DSC configuration that is used to reproduce the issue (as detailed as possible)

WindowsFeature adfs-federation
{
    Ensure               = "Present"
    Name                 = "adfs-federation"
    IncludeAllSubFeature = $True
    DependsOn            = "[PendingReboot]RebootAfterInstallingAD"
}
ADKDSKey CreateKDSRootKeyInPast
{
    Ensure                   = 'Present'
    EffectiveTime            = '1/1/2021 13:00'
    AllowUnsafeEffectiveTime = $true # Use with caution
}
ADManagedServiceAccount AddADFSGMSA
{
    Ensure                    = 'Present'
    ServiceAccountName        = 'adfs_gmsa'
    AccountType               = 'Group'
    ManagedPasswordPrincipals = 'Domain Controllers'
    DependsOn                 = "[ADKDSKey]CreateKDSRootKeyInPast"
}
AdfsFarm ConfigureADFS
{
    FederationServiceName         = "sts.$ExternalDnsDomain"
    FederationServiceDisplayName  = "$domain dev ADFS Service"
    CertificateThumbprint         = "$thumbprint"
    GroupServiceAccountIdentifier = "$domain\adfs_gmsa$"
    Credential                    = $DomainCreds
}
        
AdfsProperties ADFSFarmProperties
{
    FederationServiceName         = "sts.$ExternalDnsDomain"
    EnableIdPInitiatedSignonPage  = $True
    AutoCertificateRollover       = $False
    DependsOn                     = "[AdfsFarm]ConfigureADFS"
}

AdfsCertificate TokenSigningCertificates
{
    CertificateType = 'Token-Signing'
    Thumbprint      = "$thumbprint"
    DependsOn       = "[AdfsProperties]ADFSFarmProperties"
}

The operating system the target node is running

OsName               : Microsoft Windows Server 2019 Datacenter
OsOperatingSystemSKU : DatacenterServerEdition
OsArchitecture       : 64-bit
WindowsVersion       : 1809
WindowsBuildLabEx    : 17763.1.amd64fre.rs5_release.180914-1434
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

Version and build of PowerShell the target node is running

Name                           Value
----                           -----
PSVersion                      5.1.17763.1490
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.17763.1490
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Version of the DSC module that was used

1.1.0
@X-Guardian
Copy link
Owner

Hi @patrikwm, thanks for reporting this. It looks like you are right, and the AdfsCertificate resource doesn't work correctly. I'm happy to review a PR if you want to raise one to fix it?

@patrikwm
Copy link
Author

Hi! I would love to do a PR, but I started using DSC about a week ago, so I have no experience in doing code changes in DSC modules at the moment.

When fixing this issue it would be good to have a state = present/absent or PurgeSecondaryCertificates = $True/$False
because the current Primary certificate will become secondary certificate when specifying isPrimary on a secondary certificate.

This can be done with the Remove-AdfsCertificate command.

@X-Guardian X-Guardian added the bug Something isn't working label Apr 17, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@patrikwm @X-Guardian