Skip to content

Commit

Permalink
Merge pull request #1307 from ThomasLie/master
Browse files Browse the repository at this point in the history
MSFT_SPSecurityTokenServiceConfig: Added properties FormsTokenLifetime, WindowsTokenLifetime and LogonTokenCacheExpirationWindow
  • Loading branch information
ykuijs authored Apr 9, 2021
2 parents 3af354e + 9f0d18d commit f48cbec
Show file tree
Hide file tree
Showing 4 changed files with 169 additions and 15 deletions.
2 changes: 2 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@ The format is based on and uses the types of changes according to [Keep a Change
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [Unreleased]
- SPSecurityTokenServiceConfig
- Added support for LogonTokenCacheExpirationWindow, WindowsTokenLifetime and FormsTokenLifetime settings

### Added

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,18 @@ function Get-TargetResource
[System.Boolean]
$AllowMetadataOverHttp = $false,

[Parameter()]
[System.UInt32]
$FormsTokenLifetime,

[Parameter()]
[System.UInt32]
$WindowsTokenLifetime,

[Parameter()]
[System.UInt32]
$LogonTokenCacheExpirationWindow,

[Parameter()]
[System.Management.Automation.PSCredential]
$InstallAccount,
Expand All @@ -44,34 +56,72 @@ function Get-TargetResource

Write-Verbose -Message "Getting Security Token Service Configuration"

if ($PSBoundParameters.ContainsKey("LogonTokenCacheExpirationWindow") -eq $true -and `
$PSBoundParameters.ContainsKey("WindowsTokenLifetime") -eq $true)
{
if ($PSBoundParameters.LogonTokenCacheExpirationWindow -ge $PSBoundParameters.WindowsTokenLifetime)
{
$message = ("Setting LogonTokenCacheExpirationWindow to a value higher or equal as WindowsTokenLifetime is not supported. " + `
"Please set LogonTokenCacheExpirationWindow to value lower as WindowsTokenLifetime")
Add-SPDscEvent -Message $message `
-EntryType 'Error' `
-EventID 100 `
-Source $MyInvocation.MyCommand.Source
throw $message
}
}

if ($PSBoundParameters.ContainsKey("LogonTokenCacheExpirationWindow") -eq $true -and `
$PSBoundParameters.ContainsKey("FormsTokenLifetime") -eq $true)
{
if ($PSBoundParameters.LogonTokenCacheExpirationWindow -ge $PSBoundParameters.FormsTokenLifetime)
{
$message = ("Setting LogonTokenCacheExpirationWindow to a value higher or equal as FormsTokenLifetime is not supported. " + `
"Please set LogonTokenCacheExpirationWindow to value lower as FormsTokenLifetime")
Add-SPDscEvent -Message $message `
-EntryType 'Error' `
-EventID 100 `
-Source $MyInvocation.MyCommand.Source
throw $message
}
}

$result = Invoke-SPDscCommand -Credential $InstallAccount `
-Arguments $PSBoundParameters `
-ScriptBlock {
$params = $args[0]

$config = Get-SPSecurityTokenServiceConfig

$nullReturn = @{
IsSingleInstance = "Yes"
Name = $params.Name
NameIdentifier = $params.NameIdentifier
UseSessionCookies = $params.UseSessionCookies
AllowOAuthOverHttp = $params.AllowOAuthOverHttp
AllowMetadataOverHttp = $params.AllowMetadataOverHttp
Ensure = "Absent"
IsSingleInstance = "Yes"
Name = $params.Name
NameIdentifier = $params.NameIdentifier
UseSessionCookies = $params.UseSessionCookies
AllowOAuthOverHttp = $params.AllowOAuthOverHttp
AllowMetadataOverHttp = $params.AllowMetadataOverHttp
FormsTokenLifetime = $params.FormsTokenLifetime
WindowsTokenLifetime = $params.WindowsTokenLifetime
LogonTokenCacheExpirationWindow = $params.LogonTokenCacheExpirationWindow
Ensure = "Absent"
}

if ($null -eq $config)
{
return $nullReturn
}

return @{
IsSingleInstance = "Yes"
Name = $config.Name
NameIdentifier = $config.NameIdentifier
UseSessionCookies = $config.UseSessionCookies
AllowOAuthOverHttp = $config.AllowOAuthOverHttp
AllowMetadataOverHttp = $config.AllowMetadataOverHttp
Ensure = "Present"
IsSingleInstance = "Yes"
Name = $config.Name
NameIdentifier = $config.NameIdentifier
UseSessionCookies = $config.UseSessionCookies
AllowOAuthOverHttp = $config.AllowOAuthOverHttp
AllowMetadataOverHttp = $config.AllowMetadataOverHttp
FormsTokenLifetime = $config.FormsTokenLifetime.TotalMinutes
WindowsTokenLifetime = $config.WindowsTokenLifetime.TotalMinutes
LogonTokenCacheExpirationWindow = $config.LogonTokenCacheExpirationWindow.TotalMinutes
Ensure = "Present"
}
}
return $result
Expand Down Expand Up @@ -107,6 +157,18 @@ function Set-TargetResource
[System.Boolean]
$AllowMetadataOverHttp = $false,

[Parameter()]
[System.UInt32]
$FormsTokenLifetime,

[Parameter()]
[System.UInt32]
$WindowsTokenLifetime,

[Parameter()]
[System.UInt32]
$LogonTokenCacheExpirationWindow,

[Parameter()]
[System.Management.Automation.PSCredential]
$InstallAccount,
Expand All @@ -130,6 +192,36 @@ function Set-TargetResource
throw $message
}

if ($PSBoundParameters.ContainsKey("LogonTokenCacheExpirationWindow") -eq $true -and `
$PSBoundParameters.ContainsKey("WindowsTokenLifetime") -eq $true)
{
if ($PSBoundParameters.LogonTokenCacheExpirationWindow -ge $PSBoundParameters.WindowsTokenLifetime)
{
$message = ("Setting LogonTokenCacheExpirationWindow to a value higher or equal as WindowsTokenLifetime is not supported. " + `
"Please set LogonTokenCacheExpirationWindow to value lower as WindowsTokenLifetime")
Add-SPDscEvent -Message $message `
-EntryType 'Error' `
-EventID 100 `
-Source $MyInvocation.MyCommand.Source
throw $message
}
}

if ($PSBoundParameters.ContainsKey("LogonTokenCacheExpirationWindow") -eq $true -and `
$PSBoundParameters.ContainsKey("FormsTokenLifetime") -eq $true)
{
if ($PSBoundParameters.LogonTokenCacheExpirationWindow -ge $PSBoundParameters.FormsTokenLifetime)
{
$message = ("Setting LogonTokenCacheExpirationWindow to a value higher or equal as FormsTokenLifetime is not supported. " + `
"Please set LogonTokenCacheExpirationWindow to value lower as FormsTokenLifetime")
Add-SPDscEvent -Message $message `
-EntryType 'Error' `
-EventID 100 `
-Source $MyInvocation.MyCommand.Source
throw $message
}
}

Invoke-SPDscCommand -Credential $InstallAccount `
-Arguments $PSBoundParameters `
-ScriptBlock {
Expand Down Expand Up @@ -157,6 +249,43 @@ function Set-TargetResource
$config.AllowMetadataOverHttp = $params.AllowMetadataOverHttp
}

if ($params.ContainsKey("FormsTokenLifetime"))
{
$config.FormsTokenLifetime = (New-TimeSpan -Minutes $params.FormsTokenLifetime)
}

if ($params.ContainsKey("WindowsTokenLifetime"))
{
$config.WindowsTokenLifetime = (New-TimeSpan -Minutes $params.WindowsTokenLifetime)
}

if ($params.ContainsKey("LogonTokenCacheExpirationWindow"))
{
if (-not $params.ContainsKey("WindowsTokenLifetime") -and ($params.LogonTokenCacheExpirationWindow -ge $config.WindowsTokenLifetime.TotalMinutes))
{
$message = ("Setting LogonTokenCacheExpirationWindow to a value higher or equal as WindowsTokenLifetime is not supported. " + `
"Please set LogonTokenCacheExpirationWindow to value lower as WindowsTokenLifetime")
Add-SPDscEvent -Message $message `
-EntryType 'Error' `
-EventID 100 `
-Source $MyInvocation.MyCommand.Source
throw $message
}

if (-not $params.ContainsKey("FormsTokenLifetime") -and ($params.LogonTokenCacheExpirationWindow -ge $config.FormsTokenLifetime.TotalMinutes))
{
$message = ("Setting LogonTokenCacheExpirationWindow to a value higher or equal as FormsTokenLifetime is not supported. " + `
"Please set LogonTokenCacheExpirationWindow to value lower as FormsTokenLifetime")
Add-SPDscEvent -Message $message `
-EntryType 'Error' `
-EventID 100 `
-Source $MyInvocation.MyCommand.Source
throw $message
}

$config.LogonTokenCacheExpirationWindow = (New-TimeSpan -Minutes $params.LogonTokenCacheExpirationWindow)
}

$config.Update()
}
}
Expand Down Expand Up @@ -192,6 +321,18 @@ function Test-TargetResource
[System.Boolean]
$AllowMetadataOverHttp = $false,

[Parameter()]
[System.UInt32]
$FormsTokenLifetime,

[Parameter()]
[System.UInt32]
$WindowsTokenLifetime,

[Parameter()]
[System.UInt32]
$LogonTokenCacheExpirationWindow,

[Parameter()]
[System.Management.Automation.PSCredential]
$InstallAccount,
Expand All @@ -218,7 +359,10 @@ function Test-TargetResource
"NameIdentifier",
"UseSessionCookies",
"AllowOAuthOverHttp",
"AllowMetadataOverHttp")
"AllowMetadataOverHttp",
"FormsTokenLifetime",
"WindowsTokenLifetime",
"LogonTokenCacheExpirationWindow")

Write-Verbose -Message "Test-TargetResource returned $result"

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,9 @@ class MSFT_SPSecurityTokenServiceConfig : OMI_BaseResource
[Write, Description("True set the security token service to use cookies")] Boolean UseSessionCookies;
[Write, Description("True set the security token service to allow OAuth over HTTP")] Boolean AllowOAuthOverHttp;
[Write, Description("True set the security token service to allow metadata exchange over HTTP")] Boolean AllowMetadataOverHttp;
[Write, Description("Timespan in minutes to set FormsTokenLifetime")] UInt32 FormsTokenLifetime;
[Write, Description("Timespan in minutes to set WindowsTokenLifetime")] UInt32 WindowsTokenLifetime;
[Write, Description("Timespan in minutes to set LogonTokenCacheExpirationWindow")] UInt32 LogonTokenCacheExpirationWindow;
[Write, Description("Present ensures the configurations are applied"), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure;
[Write, Description("POWERSHELL 4 ONLY: The account to run this resource as, use PsDscRunAsCredential if using PowerShell 5"), EmbeddedInstance("MSFT_Credential")] String InstallAccount;
};
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,8 @@
This resource is responsible for configuring the Security Token Service within
the local SharePoint farm. Using Ensure equals to Absent is not supported.
This resource can only apply configuration, not ensure they don't exist.

This resource is also able to set the properties FormsTokenLifetime, WindowsTokenLifetime and LogonTokenCacheExpirationWindow.
It checks for values leading to "The context has expired and can no longer be used." errors.
The value for LogonTokenCacheExpirationWindow must be higher than the values for FormsTokenLifetime and WindowsTokenLifetime,
it will return an error if not.

0 comments on commit f48cbec

Please sign in to comment.