diff --git a/CHANGELOG.md b/CHANGELOG.md index 04c412617..ca6fa0242 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,8 @@ The format is based on and uses the types of changes according to [Keep a Change and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). ## [Unreleased] +- SPSecurityTokenServiceConfig + - Added support for LogonTokenCacheExpirationWindow, WindowsTokenLifetime and FormsTokenLifetime settings ### Added diff --git a/SharePointDsc/DSCResources/MSFT_SPSecurityTokenServiceConfig/MSFT_SPSecurityTokenServiceConfig.psm1 b/SharePointDsc/DSCResources/MSFT_SPSecurityTokenServiceConfig/MSFT_SPSecurityTokenServiceConfig.psm1 index 64c4c2af9..ab9ebe887 100644 --- a/SharePointDsc/DSCResources/MSFT_SPSecurityTokenServiceConfig/MSFT_SPSecurityTokenServiceConfig.psm1 +++ b/SharePointDsc/DSCResources/MSFT_SPSecurityTokenServiceConfig/MSFT_SPSecurityTokenServiceConfig.psm1 @@ -32,6 +32,18 @@ function Get-TargetResource [System.Boolean] $AllowMetadataOverHttp = $false, + [Parameter()] + [System.UInt32] + $FormsTokenLifetime, + + [Parameter()] + [System.UInt32] + $WindowsTokenLifetime, + + [Parameter()] + [System.UInt32] + $LogonTokenCacheExpirationWindow, + [Parameter()] [System.Management.Automation.PSCredential] $InstallAccount, @@ -44,34 +56,72 @@ function Get-TargetResource Write-Verbose -Message "Getting Security Token Service Configuration" + if ($PSBoundParameters.ContainsKey("LogonTokenCacheExpirationWindow") -eq $true -and ` + $PSBoundParameters.ContainsKey("WindowsTokenLifetime") -eq $true) + { + if ($PSBoundParameters.LogonTokenCacheExpirationWindow -ge $PSBoundParameters.WindowsTokenLifetime) + { + $message = ("Setting LogonTokenCacheExpirationWindow to a value higher or equal as WindowsTokenLifetime is not supported. " + ` + "Please set LogonTokenCacheExpirationWindow to value lower as WindowsTokenLifetime") + Add-SPDscEvent -Message $message ` + -EntryType 'Error' ` + -EventID 100 ` + -Source $MyInvocation.MyCommand.Source + throw $message + } + } + + if ($PSBoundParameters.ContainsKey("LogonTokenCacheExpirationWindow") -eq $true -and ` + $PSBoundParameters.ContainsKey("FormsTokenLifetime") -eq $true) + { + if ($PSBoundParameters.LogonTokenCacheExpirationWindow -ge $PSBoundParameters.FormsTokenLifetime) + { + $message = ("Setting LogonTokenCacheExpirationWindow to a value higher or equal as FormsTokenLifetime is not supported. " + ` + "Please set LogonTokenCacheExpirationWindow to value lower as FormsTokenLifetime") + Add-SPDscEvent -Message $message ` + -EntryType 'Error' ` + -EventID 100 ` + -Source $MyInvocation.MyCommand.Source + throw $message + } + } + $result = Invoke-SPDscCommand -Credential $InstallAccount ` -Arguments $PSBoundParameters ` -ScriptBlock { $params = $args[0] $config = Get-SPSecurityTokenServiceConfig + $nullReturn = @{ - IsSingleInstance = "Yes" - Name = $params.Name - NameIdentifier = $params.NameIdentifier - UseSessionCookies = $params.UseSessionCookies - AllowOAuthOverHttp = $params.AllowOAuthOverHttp - AllowMetadataOverHttp = $params.AllowMetadataOverHttp - Ensure = "Absent" + IsSingleInstance = "Yes" + Name = $params.Name + NameIdentifier = $params.NameIdentifier + UseSessionCookies = $params.UseSessionCookies + AllowOAuthOverHttp = $params.AllowOAuthOverHttp + AllowMetadataOverHttp = $params.AllowMetadataOverHttp + FormsTokenLifetime = $params.FormsTokenLifetime + WindowsTokenLifetime = $params.WindowsTokenLifetime + LogonTokenCacheExpirationWindow = $params.LogonTokenCacheExpirationWindow + Ensure = "Absent" } + if ($null -eq $config) { return $nullReturn } return @{ - IsSingleInstance = "Yes" - Name = $config.Name - NameIdentifier = $config.NameIdentifier - UseSessionCookies = $config.UseSessionCookies - AllowOAuthOverHttp = $config.AllowOAuthOverHttp - AllowMetadataOverHttp = $config.AllowMetadataOverHttp - Ensure = "Present" + IsSingleInstance = "Yes" + Name = $config.Name + NameIdentifier = $config.NameIdentifier + UseSessionCookies = $config.UseSessionCookies + AllowOAuthOverHttp = $config.AllowOAuthOverHttp + AllowMetadataOverHttp = $config.AllowMetadataOverHttp + FormsTokenLifetime = $config.FormsTokenLifetime.TotalMinutes + WindowsTokenLifetime = $config.WindowsTokenLifetime.TotalMinutes + LogonTokenCacheExpirationWindow = $config.LogonTokenCacheExpirationWindow.TotalMinutes + Ensure = "Present" } } return $result @@ -107,6 +157,18 @@ function Set-TargetResource [System.Boolean] $AllowMetadataOverHttp = $false, + [Parameter()] + [System.UInt32] + $FormsTokenLifetime, + + [Parameter()] + [System.UInt32] + $WindowsTokenLifetime, + + [Parameter()] + [System.UInt32] + $LogonTokenCacheExpirationWindow, + [Parameter()] [System.Management.Automation.PSCredential] $InstallAccount, @@ -130,6 +192,36 @@ function Set-TargetResource throw $message } + if ($PSBoundParameters.ContainsKey("LogonTokenCacheExpirationWindow") -eq $true -and ` + $PSBoundParameters.ContainsKey("WindowsTokenLifetime") -eq $true) + { + if ($PSBoundParameters.LogonTokenCacheExpirationWindow -ge $PSBoundParameters.WindowsTokenLifetime) + { + $message = ("Setting LogonTokenCacheExpirationWindow to a value higher or equal as WindowsTokenLifetime is not supported. " + ` + "Please set LogonTokenCacheExpirationWindow to value lower as WindowsTokenLifetime") + Add-SPDscEvent -Message $message ` + -EntryType 'Error' ` + -EventID 100 ` + -Source $MyInvocation.MyCommand.Source + throw $message + } + } + + if ($PSBoundParameters.ContainsKey("LogonTokenCacheExpirationWindow") -eq $true -and ` + $PSBoundParameters.ContainsKey("FormsTokenLifetime") -eq $true) + { + if ($PSBoundParameters.LogonTokenCacheExpirationWindow -ge $PSBoundParameters.FormsTokenLifetime) + { + $message = ("Setting LogonTokenCacheExpirationWindow to a value higher or equal as FormsTokenLifetime is not supported. " + ` + "Please set LogonTokenCacheExpirationWindow to value lower as FormsTokenLifetime") + Add-SPDscEvent -Message $message ` + -EntryType 'Error' ` + -EventID 100 ` + -Source $MyInvocation.MyCommand.Source + throw $message + } + } + Invoke-SPDscCommand -Credential $InstallAccount ` -Arguments $PSBoundParameters ` -ScriptBlock { @@ -157,6 +249,43 @@ function Set-TargetResource $config.AllowMetadataOverHttp = $params.AllowMetadataOverHttp } + if ($params.ContainsKey("FormsTokenLifetime")) + { + $config.FormsTokenLifetime = (New-TimeSpan -Minutes $params.FormsTokenLifetime) + } + + if ($params.ContainsKey("WindowsTokenLifetime")) + { + $config.WindowsTokenLifetime = (New-TimeSpan -Minutes $params.WindowsTokenLifetime) + } + + if ($params.ContainsKey("LogonTokenCacheExpirationWindow")) + { + if (-not $params.ContainsKey("WindowsTokenLifetime") -and ($params.LogonTokenCacheExpirationWindow -ge $config.WindowsTokenLifetime.TotalMinutes)) + { + $message = ("Setting LogonTokenCacheExpirationWindow to a value higher or equal as WindowsTokenLifetime is not supported. " + ` + "Please set LogonTokenCacheExpirationWindow to value lower as WindowsTokenLifetime") + Add-SPDscEvent -Message $message ` + -EntryType 'Error' ` + -EventID 100 ` + -Source $MyInvocation.MyCommand.Source + throw $message + } + + if (-not $params.ContainsKey("FormsTokenLifetime") -and ($params.LogonTokenCacheExpirationWindow -ge $config.FormsTokenLifetime.TotalMinutes)) + { + $message = ("Setting LogonTokenCacheExpirationWindow to a value higher or equal as FormsTokenLifetime is not supported. " + ` + "Please set LogonTokenCacheExpirationWindow to value lower as FormsTokenLifetime") + Add-SPDscEvent -Message $message ` + -EntryType 'Error' ` + -EventID 100 ` + -Source $MyInvocation.MyCommand.Source + throw $message + } + + $config.LogonTokenCacheExpirationWindow = (New-TimeSpan -Minutes $params.LogonTokenCacheExpirationWindow) + } + $config.Update() } } @@ -192,6 +321,18 @@ function Test-TargetResource [System.Boolean] $AllowMetadataOverHttp = $false, + [Parameter()] + [System.UInt32] + $FormsTokenLifetime, + + [Parameter()] + [System.UInt32] + $WindowsTokenLifetime, + + [Parameter()] + [System.UInt32] + $LogonTokenCacheExpirationWindow, + [Parameter()] [System.Management.Automation.PSCredential] $InstallAccount, @@ -218,7 +359,10 @@ function Test-TargetResource "NameIdentifier", "UseSessionCookies", "AllowOAuthOverHttp", - "AllowMetadataOverHttp") + "AllowMetadataOverHttp", + "FormsTokenLifetime", + "WindowsTokenLifetime", + "LogonTokenCacheExpirationWindow") Write-Verbose -Message "Test-TargetResource returned $result" diff --git a/SharePointDsc/DSCResources/MSFT_SPSecurityTokenServiceConfig/MSFT_SPSecurityTokenServiceConfig.schema.mof b/SharePointDsc/DSCResources/MSFT_SPSecurityTokenServiceConfig/MSFT_SPSecurityTokenServiceConfig.schema.mof index 0135aec3f..8dac9329c 100644 --- a/SharePointDsc/DSCResources/MSFT_SPSecurityTokenServiceConfig/MSFT_SPSecurityTokenServiceConfig.schema.mof +++ b/SharePointDsc/DSCResources/MSFT_SPSecurityTokenServiceConfig/MSFT_SPSecurityTokenServiceConfig.schema.mof @@ -7,6 +7,9 @@ class MSFT_SPSecurityTokenServiceConfig : OMI_BaseResource [Write, Description("True set the security token service to use cookies")] Boolean UseSessionCookies; [Write, Description("True set the security token service to allow OAuth over HTTP")] Boolean AllowOAuthOverHttp; [Write, Description("True set the security token service to allow metadata exchange over HTTP")] Boolean AllowMetadataOverHttp; + [Write, Description("Timespan in minutes to set FormsTokenLifetime")] UInt32 FormsTokenLifetime; + [Write, Description("Timespan in minutes to set WindowsTokenLifetime")] UInt32 WindowsTokenLifetime; + [Write, Description("Timespan in minutes to set LogonTokenCacheExpirationWindow")] UInt32 LogonTokenCacheExpirationWindow; [Write, Description("Present ensures the configurations are applied"), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; [Write, Description("POWERSHELL 4 ONLY: The account to run this resource as, use PsDscRunAsCredential if using PowerShell 5"), EmbeddedInstance("MSFT_Credential")] String InstallAccount; }; diff --git a/SharePointDsc/DSCResources/MSFT_SPSecurityTokenServiceConfig/readme.md b/SharePointDsc/DSCResources/MSFT_SPSecurityTokenServiceConfig/readme.md index 7ddf7d442..026c4c651 100644 --- a/SharePointDsc/DSCResources/MSFT_SPSecurityTokenServiceConfig/readme.md +++ b/SharePointDsc/DSCResources/MSFT_SPSecurityTokenServiceConfig/readme.md @@ -6,3 +6,8 @@ This resource is responsible for configuring the Security Token Service within the local SharePoint farm. Using Ensure equals to Absent is not supported. This resource can only apply configuration, not ensure they don't exist. + +This resource is also able to set the properties FormsTokenLifetime, WindowsTokenLifetime and LogonTokenCacheExpirationWindow. +It checks for values leading to "The context has expired and can no longer be used." errors. +The value for LogonTokenCacheExpirationWindow must be higher than the values for FormsTokenLifetime and WindowsTokenLifetime, +it will return an error if not.