search

X-Guardian / AdfsDsc

DSC resources for deployment and configuration of Active Directory Federation Services
MIT License
9 stars 5 forks source link

AdfsCertificate: TokenSigningCertificates Add-ADFSCertificate missing? #49

Open patrikwm opened 3 years ago

patrikwm commented 3 years ago

Details of the scenario you tried and the problem that is occurring

Problem occurs when configuring fresh ADFS farm and trying to set 'token-signing' certificate with AdfsCertificate.

I get the error: PS0006: The IsPrimary parameter must be specified when a Token-Encryption or Token-Signing certificate is specified. But the real problem is that the certificate is not added in the first place.

Verbose logs showing the problem

Code="VMExtensionProvisioningError" Message="VM has reported a failure when processing extension 'TestDSC'. Error message: \"DSC Configuration 'CreateRootDomain' completed with error(s). Following are the first few: PowerShell DSC resource MSFT_AdfsCertificate  failed to execute Set-TargetResource functionality with error message: System.InvalidOperationException: Error setting 'Token-Signing'. (CERERR002) ---> System.ArgumentException: PS0006: The IsPrimary parameter must be specified when a Token-Encryption or Token-Signing certificate is specified.
   at Microsoft.IdentityServer.Management.Commands.SetCertificateCommand.DoProcessing()
   at Microsoft.IdentityServer.Management.Commands.SetCertificateCommand.EndProcessingOverride()
   --- End of inner exception stack trace ---  PowerShell DSC resource MSFT_AdfsCertificate  failed to execute Set-TargetResource functionality with error message: System.InvalidOperationException: Error setting 'Token-Decrypting'. (CERERR002) ---> System.ArgumentException: PS0006: The IsPrimary parameter must be specified when a Token-Encryption or Token-Signing certificate is specified.
   at Microsoft.IdentityServer.Management.Commands.SetCertificateCommand.DoProcessing()
   at Microsoft.IdentityServer.Management.Commands.SetCertificateCommand.EndProcessingOverride()
   --- End of inner exception stack trace ---  The SendConfigurationApply function did not succeed. LCM failed to start desired state configuration manually.\"

Suggested solution to the issue

Add-AdfsCertificate before setting it.

Following command produces same error as in DSC.

PS C:\Users\adminuser> Set-AdfsCertificate -CertificateType "Token-Signing" -Thumbprint $thumbprint
Set-AdfsCertificate : PS0006: The IsPrimary parameter must be specified when a Token-Encryption or Token-Signing
certificate is specified.
At line:1 char:1
+ Set-AdfsCertificate -CertificateType "Token-Signing" -Thumbprint "7ED ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Set-AdfsCertificate], ArgumentException
    + FullyQualifiedErrorId : PS0006,Microsoft.IdentityServer.Management.Commands.SetCertificateCommand

Adding -IsPrimary to the command produces another error.

PS C:\Users\adminuser> Set-AdfsCertificate -CertificateType "Token-Signing" -Thumbprint $thumbprint -IsPrimary
Set-AdfsCertificate : PS0010: You must add the certificate before you can set it to be the primary certificate.
At line:1 char:1
+ Set-AdfsCertificate -CertificateType "Token-Signing" -Thumbprint "7ED ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Set-AdfsCertificate], ArgumentException
    + FullyQualifiedErrorId : PS0010,Microsoft.IdentityServer.Management.Commands.SetCertificateCommand

After adding the certificate as suggested in PS0010. It is possible to set the certificate to token-signing. So I think this is the part missing.

PS C:\Users\adminuser> Add-AdfsCertificate -CertificateType "Token-Signing" -Thumbprint $thumbprint
PS C:\Users\adminuser> Set-AdfsCertificate -CertificateType "Token-Signing" -Thumbprint $thumbprint -IsPrimary

The only place In the code I can find the Add-AdfsCertificate is in AdfsDsc/Tests/Unit/Stubs/AdfsStub.psm1

The DSC configuration that is used to reproduce the issue (as detailed as possible)

WindowsFeature adfs-federation
{
    Ensure               = "Present"
    Name                 = "adfs-federation"
    IncludeAllSubFeature = $True
    DependsOn            = "[PendingReboot]RebootAfterInstallingAD"
}
ADKDSKey CreateKDSRootKeyInPast
{
    Ensure                   = 'Present'
    EffectiveTime            = '1/1/2021 13:00'
    AllowUnsafeEffectiveTime = $true # Use with caution
}
ADManagedServiceAccount AddADFSGMSA
{
    Ensure                    = 'Present'
    ServiceAccountName        = 'adfs_gmsa'
    AccountType               = 'Group'
    ManagedPasswordPrincipals = 'Domain Controllers'
    DependsOn                 = "[ADKDSKey]CreateKDSRootKeyInPast"
}
AdfsFarm ConfigureADFS
{
    FederationServiceName         = "sts.$ExternalDnsDomain"
    FederationServiceDisplayName  = "$domain dev ADFS Service"
    CertificateThumbprint         = "$thumbprint"
    GroupServiceAccountIdentifier = "$domain\adfs_gmsa$"
    Credential                    = $DomainCreds
}

AdfsProperties ADFSFarmProperties
{
    FederationServiceName         = "sts.$ExternalDnsDomain"
    EnableIdPInitiatedSignonPage  = $True
    AutoCertificateRollover       = $False
    DependsOn                     = "[AdfsFarm]ConfigureADFS"
}

AdfsCertificate TokenSigningCertificates
{
    CertificateType = 'Token-Signing'
    Thumbprint      = "$thumbprint"
    DependsOn       = "[AdfsProperties]ADFSFarmProperties"
}

The operating system the target node is running

OsName               : Microsoft Windows Server 2019 Datacenter
OsOperatingSystemSKU : DatacenterServerEdition
OsArchitecture       : 64-bit
WindowsVersion       : 1809
WindowsBuildLabEx    : 17763.1.amd64fre.rs5_release.180914-1434
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

Version and build of PowerShell the target node is running

Name                           Value
----                           -----
PSVersion                      5.1.17763.1490
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.17763.1490
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Version of the DSC module that was used

1.1.0

X-Guardian commented 3 years ago

Hi @patrikwm, thanks for reporting this. It looks like you are right, and the AdfsCertificate resource doesn't work correctly. I'm happy to review a PR if you want to raise one to fix it?

patrikwm commented 3 years ago

Hi! I would love to do a PR, but I started using DSC about a week ago, so I have no experience in doing code changes in DSC modules at the moment.

When fixing this issue it would be good to have a state = present/absent or PurgeSecondaryCertificates = $True/$False because the current Primary certificate will become secondary certificate when specifying isPrimary on a secondary certificate.

This can be done with the Remove-AdfsCertificate command.