Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

SPTrustedIdentityTokenIssuer: Impossible to use "MetadataEndPoint" parameter

See original GitHub issue

Details of the scenario you tried and the problem that is occurring

I am trying to use MetadataEndPoint because I want SharePoint to extract certificate so I don’t have to obtain it manually and specify in “SigningCertificateFilePath” in the DSC resource.

Verbose logs showing the problem

N/A

The DSC configuration that is used to reproduce the issue (as detailed as possible)

# insert configuration here

The operating system the target node is running

OsName               : Microsoft Windows Server 2019 Datacenter
OsOperatingSystemSKU : DatacenterServerEdition
OsArchitecture       : 64-bit
WindowsVersion       : 1809
WindowsBuildLabEx    : 17763.1.amd64fre.rs5_release.180914-1434
OsLanguage           : en-US
OsMuiLanguages       : {en-US}

Version of SharePoint that is used (e.g. SharePoint 2016)

SharePoint 2019

Version and build of PowerShell the target node is running

Name                           Value
----                           -----
PSVersion                      5.1.17763.316
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.17763.316
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Version of the DSC module that was used (‘dev’ if using current dev branch)

3.1

Issue Analytics

State:
Created 4 years ago
Comments:6 (3 by maintainers)

Top GitHub Comments

1reaction

shurick81commented, Nov 27, 2019

after usage of the workaround above for some time, I encountered an issue, exception when endpoint contains more than one signing certificate. The only way to fix it was using Script resource:

$metadataurl = "https://login.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml"
$fedmd = $null
Do {
    Try {
        $fedmd = Invoke-WebRequest -Uri $metadataurl -UseBasicParsing
    } Catch {
        $_.Exception.Message
    }
    if ( $fedmd ) {
        Write-Host "$( Get-Date ) Successfully read metadata from $metadataurl";
    } else {
        Write-Host "$( Get-Date ) Could not read metadata from $metadataurl";
        Start-Sleep 5;
    }
} until ( $fedmd )
$fedmdXml = New-Object Xml
$fedmdXml.LoadXml($fedmd.Content)
$certCounter = 0;
$fedmdXml.EntityDescriptor.RoleDescriptor.KeyDescriptor | ? { $_.use -eq "signing" } | % {
    $base64 = $_.KeyInfo.X509Data.X509Certificate
    $tempFileName = [guid]::NewGuid().Guid + ".cer";
    $tempFilePath = "$env:TEMP\$tempFileName";
    $base64 | Out-File -FilePath $tempFilePath -Append:$false
    $contosoSigningCertificate = Get-PfxCertificate -FilePath $tempFilePath
    $contosoSigningCertificateThumbprint = $contosoSigningCertificate.Thumbprint
    Write-Host "contosoSigningCertificateThumbprint: $contosoSigningCertificateThumbprint"

    File "contosoSigningCertFile$certCounter"
    {
        Ensure          = "Present"
        Contents        = $base64
        DestinationPath = "c:\certs\adfs-signing-login.contoso.com$certCounter.cer"
    }

    ReplaceText "contosoSigningCertFileASCII$certCounter"
    {
        Path        = "c:\certs\adfs-signing-login.contoso.com$certCounter.cer"
        Search      = ' '
        Type        = 'Text'
        Text        = ' '
        Encoding    = "ASCII"
        DependsOn   = "[File]contosoSigningCertFile$certCounter"
    }

    CertificateImport "contosoSigningCertificate$certCounter"
    {
        Thumbprint  = $contosoSigningCertificateThumbprint
        Location    = 'LocalMachine'
        Store       = 'Root'
        Path        = "c:\certs\adfs-signing-login.contoso.com$certCounter.cer"
        DependsOn   = "[ReplaceText]contosoSigningCertFileASCII$certCounter"
    }
    
    $certCounter++;
}

Script contosoLoginTrust
{
    SetScript               = ( {
        Invoke-SPDSCCommand -ScriptBlock {{
            Write-Host "Checking issuer contoso-login-00"
            $issuer = Get-SPTrustedIdentityTokenIssuer "contoso-login-00" -ErrorAction Ignore
            if ( !$issuer )
            {{
                Write-Host "Issuer is not found, creating";
                $map1 = New-SPClaimTypeMapping -IncomingClaimType "urn:contoso-claims/lus-group" -IncomingClaimTypeDisplayName "LUS-Group" -SameAsIncoming;
                $map2 = New-SPClaimTypeMapping -IncomingClaimType "urn:contoso-claims/userid" -IncomingClaimTypeDisplayName "UserId" -SameAsIncoming;
                New-SPTrustedIdentityTokenIssuer -Name contoso-login-00 -Description "contoso Trusted Login Provider" -Realm https://{0} -ImportTrustCertificate C:\certs\adfs-signing-login.contoso.com0.cer -ClaimsMappings $map1,$map2 -SignInUrl https://login.contoso.com/adfs/ls/ -SignOutUrl https://login.contoso.com/adfs/ls/ -IdentifierClaim urn:contoso-claims/userid | Out-Null;
                Set-SPTrustedIdentityTokenIssuer -Identity contoso-login-00 -MetadataEndPoint https://login.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml;
            }}
        }}
    } -f @( $siteCollectionHostNameCommon ) )
    TestScript              = ( {
        Invoke-SPDSCCommand -ScriptBlock {{
            Write-Host "Checking issuer contoso-login-00"
            $issuer = Get-SPTrustedIdentityTokenIssuer "contoso-login-00" -ErrorAction Ignore
            Write-Host "Returning result"
            return ( $issuer -ne $null )
        }}
    } -f @( $siteCollectionHostNameCommon ) )
    GetScript               = ( {
        Invoke-SPDSCCommand -ScriptBlock {{
            Add-PSSnapin Microsoft.SharePoint.PowerShell
            $issuer = Get-SPTrustedIdentityTokenIssuer "contoso-login-00" -ErrorAction Ignore
            return $issuer.ToString();
        }}
    } -f @( $siteCollectionHostNameCommon ) )
    PsDscRunAsCredential    = $SPInstallAccountCredential
    DependsOn               = "File[contosoSigningCertFile0]"
}

0reactions

Yvandcommented, Apr 25, 2019

Wouldn’t this throw the same JSON error?

Top Results From Across the Web

SPTrustedIdentityTokenIssuer: Impossible to use ...

I am trying to use MetadataEndPoint because I want SharePoint to extract certificate so I don't have to obtain it manually and specify...

New-SPTrustedIdentityTokenIssuer (sharepoint-server)

This example creates a new identity provider in the farm named LiveIDSTS. Parameters. -AssignmentCollection. Manages objects for the purpose of proper disposal.

Third party oidc authentication with SPSE failed

Following the new oidc-1-0-authentication , I managed configuring oidc authenticate in SPSE with ADFS. I then tried third party oidc ...

SharePoint 2013 Public Preview PowerShell Cmdlets (Part 2)

In this post I will identify all the cmdlets which have changed in some way from SharePoint 2010 to SharePoint 2013. This process...

Claims | Share-n-Dipity | Page 4 - WordPress.com

Using SAML Claims in SharePoint 2010 with Host Header Sites ... The SignInUrl parameter for the New-SPTrustedIdentityTokenIssuer should point to your ACS ...