From 799a20bca084df560d37b6887e2a979b682b642c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Lieft=C3=BCchter?= Date: Wed, 7 Apr 2021 10:08:25 +0200 Subject: [PATCH 1/4] Updated MSFT_SPSecurityTokenServiceConfig files --- .../MSFT_SPSecurityTokenServiceConfig.psm1 | 124 +++++++++++++++--- ...FT_SPSecurityTokenServiceConfig.schema.mof | 3 + .../readme.md | 5 + 3 files changed, 117 insertions(+), 15 deletions(-) diff --git a/SharePointDsc/DSCResources/MSFT_SPSecurityTokenServiceConfig/MSFT_SPSecurityTokenServiceConfig.psm1 b/SharePointDsc/DSCResources/MSFT_SPSecurityTokenServiceConfig/MSFT_SPSecurityTokenServiceConfig.psm1 index 64c4c2af9..5ab742323 100644 --- a/SharePointDsc/DSCResources/MSFT_SPSecurityTokenServiceConfig/MSFT_SPSecurityTokenServiceConfig.psm1 +++ b/SharePointDsc/DSCResources/MSFT_SPSecurityTokenServiceConfig/MSFT_SPSecurityTokenServiceConfig.psm1 @@ -32,6 +32,18 @@ function Get-TargetResource [System.Boolean] $AllowMetadataOverHttp = $false, + [Parameter()] + [System.Int32] + $FormsTokenLifetime, + + [Parameter()] + [System.Int32] + $WindowsTokenLifetime, + + [Parameter()] + [System.Int32] + $LogonTokenCacheExpirationWindow, + [Parameter()] [System.Management.Automation.PSCredential] $InstallAccount, @@ -50,14 +62,37 @@ function Get-TargetResource $params = $args[0] $config = Get-SPSecurityTokenServiceConfig + + if ($null -ne $config) + { + # Converting timespan values back to int32 + [Int32]$FormsTokenLifetime = $config.FormsTokenLifetime + [Int32]$WindowsTokenLifetime = $config.WindowsTokenLifetime + [Int32]$LogonTokenCacheExpirationWindow = $config.LogonTokenCacheExpirationWindow + + if ( ($params.LogonTokenCacheExpirationWindow -le $FormsTokenLifetime) -or ($params.LogonTokenCacheExpirationWindow -le $WindowsTokenLifetime) ) + { + $message = ("Setting LogonTokenCacheExpirationWindow to a value lower or equal as WindowsTokenLifetime or FormsTokenLifetime ist not supported. " + ` + "Please set LogonTokenCacheExpirationWindow to value higher than WindowsTokenLifetime and FormsTokenLifetime") + Add-SPDscEvent -Message $message ` + -EntryType 'Error' ` + -EventID 100 ` + -Source $MyInvocation.MyCommand.Source + throw $message + } + } + $nullReturn = @{ - IsSingleInstance = "Yes" - Name = $params.Name - NameIdentifier = $params.NameIdentifier - UseSessionCookies = $params.UseSessionCookies - AllowOAuthOverHttp = $params.AllowOAuthOverHttp - AllowMetadataOverHttp = $params.AllowMetadataOverHttp - Ensure = "Absent" + IsSingleInstance = "Yes" + Name = $params.Name + NameIdentifier = $params.NameIdentifier + UseSessionCookies = $params.UseSessionCookies + AllowOAuthOverHttp = $params.AllowOAuthOverHttp + AllowMetadataOverHttp = $params.AllowMetadataOverHttp + FormsTokenLifetime = $params.FormsTokenLifetime + WindowsTokenLifetime = $params.WindowsTokenLifetime + LogonTokenCacheExpirationWindow = $params.LogonTokenCacheExpirationWindow + Ensure = "Absent" } if ($null -eq $config) { @@ -65,13 +100,16 @@ function Get-TargetResource } return @{ - IsSingleInstance = "Yes" - Name = $config.Name - NameIdentifier = $config.NameIdentifier - UseSessionCookies = $config.UseSessionCookies - AllowOAuthOverHttp = $config.AllowOAuthOverHttp - AllowMetadataOverHttp = $config.AllowMetadataOverHttp - Ensure = "Present" + IsSingleInstance = "Yes" + Name = $config.Name + NameIdentifier = $config.NameIdentifier + UseSessionCookies = $config.UseSessionCookies + AllowOAuthOverHttp = $config.AllowOAuthOverHttp + AllowMetadataOverHttp = $config.AllowMetadataOverHttp + FormsTokenLifetime = $FormsTokenLifetime + WindowsTokenLifetime = $WindowsTokenLifetime + LogonTokenCacheExpirationWindow = $LogonTokenCacheExpirationWindow + Ensure = "Present" } } return $result @@ -107,6 +145,18 @@ function Set-TargetResource [System.Boolean] $AllowMetadataOverHttp = $false, + [Parameter()] + [System.Int32] + $FormsTokenLifetime, + + [Parameter()] + [System.Int32] + $WindowsTokenLifetime, + + [Parameter()] + [System.Int32] + $LogonTokenCacheExpirationWindow, + [Parameter()] [System.Management.Automation.PSCredential] $InstallAccount, @@ -157,6 +207,35 @@ function Set-TargetResource $config.AllowMetadataOverHttp = $params.AllowMetadataOverHttp } + if ($params.ContainsKey("FormsTokenLifetime")) + { + $config.FormsTokenLifetime = (New-TimeSpan -Minutes $params.FormsTokenLifetime) + } + + if ($params.ContainsKey("WindowsTokenLifetime")) + { + $config.WindowsTokenLifetime = (New-TimeSpan -Minutes $params.WindowsTokenLifetime) + } + + if ($params.ContainsKey("LogonTokenCacheExpirationWindow")) + { + if ($params.ContainsKey("WindowsTokenLifetime") -or $params.ContainsKey("FormsTokenLifetime")) + { + if ( ($params.LogonTokenCacheExpirationWindow -le $params.WindowsTokenLifetime) -or ($params.LogonTokenCacheExpirationWindow -le $params.FormsTokenLifetime) ) + { + $message = ("Setting LogonTokenCacheExpirationWindow to a value lower or equal as WindowsTokenLifetime or FormsTokenLifetime ist not supported. " + ` + "Please set LogonTokenCacheExpirationWindow to value higher than WindowsTokenLifetime and FormsTokenLifetime") + Add-SPDscEvent -Message $message ` + -EntryType 'Error' ` + -EventID 100 ` + -Source $MyInvocation.MyCommand.Source + throw $message + } + } + + $config.LogonTokenCacheExpirationWindow = (New-TimeSpan -Minutes $params.LogonTokenCacheExpirationWindow) + } + $config.Update() } } @@ -192,6 +271,18 @@ function Test-TargetResource [System.Boolean] $AllowMetadataOverHttp = $false, + [Parameter()] + [System.Int32] + $FormsTokenLifetime, + + [Parameter()] + [System.Int32] + $WindowsTokenLifetime, + + [Parameter()] + [System.Int32] + $LogonTokenCacheExpirationWindow, + [Parameter()] [System.Management.Automation.PSCredential] $InstallAccount, @@ -218,7 +309,10 @@ function Test-TargetResource "NameIdentifier", "UseSessionCookies", "AllowOAuthOverHttp", - "AllowMetadataOverHttp") + "AllowMetadataOverHttp", + "FormsTokenLifetime", + "WindowsTokenLifetime", + "LogonTokenCacheExpirationWindow") Write-Verbose -Message "Test-TargetResource returned $result" diff --git a/SharePointDsc/DSCResources/MSFT_SPSecurityTokenServiceConfig/MSFT_SPSecurityTokenServiceConfig.schema.mof b/SharePointDsc/DSCResources/MSFT_SPSecurityTokenServiceConfig/MSFT_SPSecurityTokenServiceConfig.schema.mof index 0135aec3f..c30438567 100644 --- a/SharePointDsc/DSCResources/MSFT_SPSecurityTokenServiceConfig/MSFT_SPSecurityTokenServiceConfig.schema.mof +++ b/SharePointDsc/DSCResources/MSFT_SPSecurityTokenServiceConfig/MSFT_SPSecurityTokenServiceConfig.schema.mof @@ -7,6 +7,9 @@ class MSFT_SPSecurityTokenServiceConfig : OMI_BaseResource [Write, Description("True set the security token service to use cookies")] Boolean UseSessionCookies; [Write, Description("True set the security token service to allow OAuth over HTTP")] Boolean AllowOAuthOverHttp; [Write, Description("True set the security token service to allow metadata exchange over HTTP")] Boolean AllowMetadataOverHttp; + [Write, Description("Timespan in minutes to set FormsTokenLifetime")] Int32 FormsTokenLifetime; + [Write, Description("Timespan in minutes to set WindowsTokenLifetime")] Int32 WindowsTokenLifetime; + [Write, Description("Timespan in minutes to set LogonTokenCacheExpirationWindow")] Int32 LogonTokenCacheExpirationWindow; [Write, Description("Present ensures the configurations are applied"), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; [Write, Description("POWERSHELL 4 ONLY: The account to run this resource as, use PsDscRunAsCredential if using PowerShell 5"), EmbeddedInstance("MSFT_Credential")] String InstallAccount; }; diff --git a/SharePointDsc/DSCResources/MSFT_SPSecurityTokenServiceConfig/readme.md b/SharePointDsc/DSCResources/MSFT_SPSecurityTokenServiceConfig/readme.md index 7ddf7d442..173a0691a 100644 --- a/SharePointDsc/DSCResources/MSFT_SPSecurityTokenServiceConfig/readme.md +++ b/SharePointDsc/DSCResources/MSFT_SPSecurityTokenServiceConfig/readme.md @@ -6,3 +6,8 @@ This resource is responsible for configuring the Security Token Service within the local SharePoint farm. Using Ensure equals to Absent is not supported. This resource can only apply configuration, not ensure they don't exist. + +This resource is also able to set the properties FormsTokenLifetime, WindowsTokenLifetime and LogonTokenCacheExpirationWindow. +It checks for values leading to “The context has expired and can no longer be used.” errors. +The value for LogonTokenCacheExpirationWindow must be higher than the values for FormsTokenLifetime and WindowsTokenLifetime, +it will return an error if not. From a9e800a38b39a70635e96c2214083e90bd1f2d3b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Lieft=C3=BCchter?= Date: Thu, 8 Apr 2021 11:20:42 +0200 Subject: [PATCH 2/4] Fixed checks and new prameter types in MSFT_SPSecurityTokenServiceConfig --- CHANGELOG.md | 2 + .../MSFT_SPSecurityTokenServiceConfig.psm1 | 121 +++++++++++++----- ...FT_SPSecurityTokenServiceConfig.schema.mof | 6 +- .../readme.md | 2 +- 4 files changed, 98 insertions(+), 33 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3a5b9d4b8..2c63f3f90 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,6 +4,8 @@ The format is based on and uses the types of changes according to [Keep a Change and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). ## [Unreleased] +- SPSecurityTokenServiceConfig + - Added support for LogonTokenCacheExpirationWindow, WindowsTokenLifetime and FormsTokenLifetime settings ## [4.6.0] - 2021-04-02 diff --git a/SharePointDsc/DSCResources/MSFT_SPSecurityTokenServiceConfig/MSFT_SPSecurityTokenServiceConfig.psm1 b/SharePointDsc/DSCResources/MSFT_SPSecurityTokenServiceConfig/MSFT_SPSecurityTokenServiceConfig.psm1 index 5ab742323..4b9c3d115 100644 --- a/SharePointDsc/DSCResources/MSFT_SPSecurityTokenServiceConfig/MSFT_SPSecurityTokenServiceConfig.psm1 +++ b/SharePointDsc/DSCResources/MSFT_SPSecurityTokenServiceConfig/MSFT_SPSecurityTokenServiceConfig.psm1 @@ -33,15 +33,15 @@ function Get-TargetResource $AllowMetadataOverHttp = $false, [Parameter()] - [System.Int32] + [System.UInt32] $FormsTokenLifetime, [Parameter()] - [System.Int32] + [System.UInt32] $WindowsTokenLifetime, [Parameter()] - [System.Int32] + [System.UInt32] $LogonTokenCacheExpirationWindow, [Parameter()] @@ -54,6 +54,36 @@ function Get-TargetResource $Ensure = "Present" ) + if ($PSBoundParameters.ContainsKey("LogonTokenCacheExpirationWindow") -eq $true -and ` + $PSBoundParameters.ContainsKey("WindowsTokenLifetime") -eq $true) + { + if ($PSBoundParameters.LogonTokenCacheExpirationWindow -le $PSBoundParameters.WindowsTokenLifetime) + { + $message = ("Setting LogonTokenCacheExpirationWindow to a value lower or equal as WindowsTokenLifetime ist not supported. " + ` + "Please set LogonTokenCacheExpirationWindow to value higher than WindowsTokenLifetime") + Add-SPDscEvent -Message $message ` + -EntryType 'Error' ` + -EventID 100 ` + -Source $MyInvocation.MyCommand.Source + throw $message + } + } + + if ($PSBoundParameters.ContainsKey("LogonTokenCacheExpirationWindow") -eq $true -and ` + $PSBoundParameters.ContainsKey("FormsTokenLifetime") -eq $true) + { + if ($PSBoundParameters.LogonTokenCacheExpirationWindow -le $PSBoundParameters.FormsTokenLifetime) + { + $message = ("Setting LogonTokenCacheExpirationWindow to a value lower or equal as FormsTokenLifetime ist not supported. " + ` + "Please set LogonTokenCacheExpirationWindow to value higher than FormsTokenLifetime") + Add-SPDscEvent -Message $message ` + -EntryType 'Error' ` + -EventID 100 ` + -Source $MyInvocation.MyCommand.Source + throw $message + } + } + Write-Verbose -Message "Getting Security Token Service Configuration" $result = Invoke-SPDscCommand -Credential $InstallAccount ` @@ -65,12 +95,7 @@ function Get-TargetResource if ($null -ne $config) { - # Converting timespan values back to int32 - [Int32]$FormsTokenLifetime = $config.FormsTokenLifetime - [Int32]$WindowsTokenLifetime = $config.WindowsTokenLifetime - [Int32]$LogonTokenCacheExpirationWindow = $config.LogonTokenCacheExpirationWindow - - if ( ($params.LogonTokenCacheExpirationWindow -le $FormsTokenLifetime) -or ($params.LogonTokenCacheExpirationWindow -le $WindowsTokenLifetime) ) + if ( ($params.LogonTokenCacheExpirationWindow -le $config.FormsTokenLifetime.TotalMinutes) -or ($params.LogonTokenCacheExpirationWindow -le $config.WindowsTokenLifetime.TotalMinutes) ) { $message = ("Setting LogonTokenCacheExpirationWindow to a value lower or equal as WindowsTokenLifetime or FormsTokenLifetime ist not supported. " + ` "Please set LogonTokenCacheExpirationWindow to value higher than WindowsTokenLifetime and FormsTokenLifetime") @@ -106,9 +131,9 @@ function Get-TargetResource UseSessionCookies = $config.UseSessionCookies AllowOAuthOverHttp = $config.AllowOAuthOverHttp AllowMetadataOverHttp = $config.AllowMetadataOverHttp - FormsTokenLifetime = $FormsTokenLifetime - WindowsTokenLifetime = $WindowsTokenLifetime - LogonTokenCacheExpirationWindow = $LogonTokenCacheExpirationWindow + FormsTokenLifetime = $config.FormsTokenLifetime.TotalMinutes + WindowsTokenLifetime = $config.WindowsTokenLifetime.TotalMinutes + LogonTokenCacheExpirationWindow = $config.LogonTokenCacheExpirationWindow.TotalMinutes Ensure = "Present" } } @@ -146,15 +171,15 @@ function Set-TargetResource $AllowMetadataOverHttp = $false, [Parameter()] - [System.Int32] + [System.UInt32] $FormsTokenLifetime, [Parameter()] - [System.Int32] + [System.UInt32] $WindowsTokenLifetime, [Parameter()] - [System.Int32] + [System.UInt32] $LogonTokenCacheExpirationWindow, [Parameter()] @@ -180,6 +205,36 @@ function Set-TargetResource throw $message } + if ($PSBoundParameters.ContainsKey("LogonTokenCacheExpirationWindow") -eq $true -and ` + $PSBoundParameters.ContainsKey("WindowsTokenLifetime") -eq $true) + { + if ($PSBoundParameters.LogonTokenCacheExpirationWindow -le $PSBoundParameters.WindowsTokenLifetime) + { + $message = ("Setting LogonTokenCacheExpirationWindow to a value lower or equal as WindowsTokenLifetime ist not supported. " + ` + "Please set LogonTokenCacheExpirationWindow to value higher than WindowsTokenLifetime") + Add-SPDscEvent -Message $message ` + -EntryType 'Error' ` + -EventID 100 ` + -Source $MyInvocation.MyCommand.Source + throw $message + } + } + + if ($PSBoundParameters.ContainsKey("LogonTokenCacheExpirationWindow") -eq $true -and ` + $PSBoundParameters.ContainsKey("FormsTokenLifetime") -eq $true) + { + if ($PSBoundParameters.LogonTokenCacheExpirationWindow -le $PSBoundParameters.FormsTokenLifetime) + { + $message = ("Setting LogonTokenCacheExpirationWindow to a value lower or equal as FormsTokenLifetime ist not supported. " + ` + "Please set LogonTokenCacheExpirationWindow to value higher than FormsTokenLifetime") + Add-SPDscEvent -Message $message ` + -EntryType 'Error' ` + -EventID 100 ` + -Source $MyInvocation.MyCommand.Source + throw $message + } + } + Invoke-SPDscCommand -Credential $InstallAccount ` -Arguments $PSBoundParameters ` -ScriptBlock { @@ -219,18 +274,26 @@ function Set-TargetResource if ($params.ContainsKey("LogonTokenCacheExpirationWindow")) { - if ($params.ContainsKey("WindowsTokenLifetime") -or $params.ContainsKey("FormsTokenLifetime")) + if (!($params.ContainsKey("WindowsTokenLifetime")) -and ($params.LogonTokenCacheExpirationWindow -le $config.WindowsTokenLifetime.TotalMinutes)) { - if ( ($params.LogonTokenCacheExpirationWindow -le $params.WindowsTokenLifetime) -or ($params.LogonTokenCacheExpirationWindow -le $params.FormsTokenLifetime) ) - { - $message = ("Setting LogonTokenCacheExpirationWindow to a value lower or equal as WindowsTokenLifetime or FormsTokenLifetime ist not supported. " + ` - "Please set LogonTokenCacheExpirationWindow to value higher than WindowsTokenLifetime and FormsTokenLifetime") - Add-SPDscEvent -Message $message ` - -EntryType 'Error' ` - -EventID 100 ` - -Source $MyInvocation.MyCommand.Source - throw $message - } + $message = ("Setting LogonTokenCacheExpirationWindow to a value lower or equal as WindowsTokenLifetime ist not supported. " + ` + "Please set LogonTokenCacheExpirationWindow to value higher than WindowsTokenLifetime") + Add-SPDscEvent -Message $message ` + -EntryType 'Error' ` + -EventID 100 ` + -Source $MyInvocation.MyCommand.Source + throw $message + } + + if (!($params.ContainsKey("FormsTokenLifetime")) -and ($params.LogonTokenCacheExpirationWindow -le $config.FormsTokenLifetime.TotalMinutes)) + { + $message = ("Setting LogonTokenCacheExpirationWindow to a value lower or equal as FormsTokenLifetime ist not supported. " + ` + "Please set LogonTokenCacheExpirationWindow to value higher than FormsTokenLifetime") + Add-SPDscEvent -Message $message ` + -EntryType 'Error' ` + -EventID 100 ` + -Source $MyInvocation.MyCommand.Source + throw $message } $config.LogonTokenCacheExpirationWindow = (New-TimeSpan -Minutes $params.LogonTokenCacheExpirationWindow) @@ -272,15 +335,15 @@ function Test-TargetResource $AllowMetadataOverHttp = $false, [Parameter()] - [System.Int32] + [System.UInt32] $FormsTokenLifetime, [Parameter()] - [System.Int32] + [System.UInt32] $WindowsTokenLifetime, [Parameter()] - [System.Int32] + [System.UInt32] $LogonTokenCacheExpirationWindow, [Parameter()] diff --git a/SharePointDsc/DSCResources/MSFT_SPSecurityTokenServiceConfig/MSFT_SPSecurityTokenServiceConfig.schema.mof b/SharePointDsc/DSCResources/MSFT_SPSecurityTokenServiceConfig/MSFT_SPSecurityTokenServiceConfig.schema.mof index c30438567..8dac9329c 100644 --- a/SharePointDsc/DSCResources/MSFT_SPSecurityTokenServiceConfig/MSFT_SPSecurityTokenServiceConfig.schema.mof +++ b/SharePointDsc/DSCResources/MSFT_SPSecurityTokenServiceConfig/MSFT_SPSecurityTokenServiceConfig.schema.mof @@ -7,9 +7,9 @@ class MSFT_SPSecurityTokenServiceConfig : OMI_BaseResource [Write, Description("True set the security token service to use cookies")] Boolean UseSessionCookies; [Write, Description("True set the security token service to allow OAuth over HTTP")] Boolean AllowOAuthOverHttp; [Write, Description("True set the security token service to allow metadata exchange over HTTP")] Boolean AllowMetadataOverHttp; - [Write, Description("Timespan in minutes to set FormsTokenLifetime")] Int32 FormsTokenLifetime; - [Write, Description("Timespan in minutes to set WindowsTokenLifetime")] Int32 WindowsTokenLifetime; - [Write, Description("Timespan in minutes to set LogonTokenCacheExpirationWindow")] Int32 LogonTokenCacheExpirationWindow; + [Write, Description("Timespan in minutes to set FormsTokenLifetime")] UInt32 FormsTokenLifetime; + [Write, Description("Timespan in minutes to set WindowsTokenLifetime")] UInt32 WindowsTokenLifetime; + [Write, Description("Timespan in minutes to set LogonTokenCacheExpirationWindow")] UInt32 LogonTokenCacheExpirationWindow; [Write, Description("Present ensures the configurations are applied"), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure; [Write, Description("POWERSHELL 4 ONLY: The account to run this resource as, use PsDscRunAsCredential if using PowerShell 5"), EmbeddedInstance("MSFT_Credential")] String InstallAccount; }; diff --git a/SharePointDsc/DSCResources/MSFT_SPSecurityTokenServiceConfig/readme.md b/SharePointDsc/DSCResources/MSFT_SPSecurityTokenServiceConfig/readme.md index 173a0691a..026c4c651 100644 --- a/SharePointDsc/DSCResources/MSFT_SPSecurityTokenServiceConfig/readme.md +++ b/SharePointDsc/DSCResources/MSFT_SPSecurityTokenServiceConfig/readme.md @@ -8,6 +8,6 @@ the local SharePoint farm. Using Ensure equals to Absent is not supported. This resource can only apply configuration, not ensure they don't exist. This resource is also able to set the properties FormsTokenLifetime, WindowsTokenLifetime and LogonTokenCacheExpirationWindow. -It checks for values leading to “The context has expired and can no longer be used.” errors. +It checks for values leading to "The context has expired and can no longer be used." errors. The value for LogonTokenCacheExpirationWindow must be higher than the values for FormsTokenLifetime and WindowsTokenLifetime, it will return an error if not. From 38e760dec63ff3338c1c89a0e613e2af55bc9651 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Lieft=C3=BCchter?= Date: Thu, 8 Apr 2021 12:45:02 +0200 Subject: [PATCH 3/4] Updated checks for LogonTokenCacheExpirationWindow values --- .../MSFT_SPSecurityTokenServiceConfig.psm1 | 53 +++++++------------ 1 file changed, 20 insertions(+), 33 deletions(-) diff --git a/SharePointDsc/DSCResources/MSFT_SPSecurityTokenServiceConfig/MSFT_SPSecurityTokenServiceConfig.psm1 b/SharePointDsc/DSCResources/MSFT_SPSecurityTokenServiceConfig/MSFT_SPSecurityTokenServiceConfig.psm1 index 4b9c3d115..58736b401 100644 --- a/SharePointDsc/DSCResources/MSFT_SPSecurityTokenServiceConfig/MSFT_SPSecurityTokenServiceConfig.psm1 +++ b/SharePointDsc/DSCResources/MSFT_SPSecurityTokenServiceConfig/MSFT_SPSecurityTokenServiceConfig.psm1 @@ -54,13 +54,15 @@ function Get-TargetResource $Ensure = "Present" ) + Write-Verbose -Message "Getting Security Token Service Configuration" + if ($PSBoundParameters.ContainsKey("LogonTokenCacheExpirationWindow") -eq $true -and ` $PSBoundParameters.ContainsKey("WindowsTokenLifetime") -eq $true) { - if ($PSBoundParameters.LogonTokenCacheExpirationWindow -le $PSBoundParameters.WindowsTokenLifetime) + if ($PSBoundParameters.LogonTokenCacheExpirationWindow -ge $PSBoundParameters.WindowsTokenLifetime) { - $message = ("Setting LogonTokenCacheExpirationWindow to a value lower or equal as WindowsTokenLifetime ist not supported. " + ` - "Please set LogonTokenCacheExpirationWindow to value higher than WindowsTokenLifetime") + $message = ("Setting LogonTokenCacheExpirationWindow to a value higher or equal as WindowsTokenLifetime is not supported. " + ` + "Please set LogonTokenCacheExpirationWindow to value lower as WindowsTokenLifetime") Add-SPDscEvent -Message $message ` -EntryType 'Error' ` -EventID 100 ` @@ -74,8 +76,8 @@ function Get-TargetResource { if ($PSBoundParameters.LogonTokenCacheExpirationWindow -le $PSBoundParameters.FormsTokenLifetime) { - $message = ("Setting LogonTokenCacheExpirationWindow to a value lower or equal as FormsTokenLifetime ist not supported. " + ` - "Please set LogonTokenCacheExpirationWindow to value higher than FormsTokenLifetime") + $message = ("Setting LogonTokenCacheExpirationWindow to a value higher or equal as FormsTokenLifetime is not supported. " + ` + "Please set LogonTokenCacheExpirationWindow to value lower as FormsTokenLifetime") Add-SPDscEvent -Message $message ` -EntryType 'Error' ` -EventID 100 ` @@ -84,8 +86,6 @@ function Get-TargetResource } } - Write-Verbose -Message "Getting Security Token Service Configuration" - $result = Invoke-SPDscCommand -Credential $InstallAccount ` -Arguments $PSBoundParameters ` -ScriptBlock { @@ -93,20 +93,6 @@ function Get-TargetResource $config = Get-SPSecurityTokenServiceConfig - if ($null -ne $config) - { - if ( ($params.LogonTokenCacheExpirationWindow -le $config.FormsTokenLifetime.TotalMinutes) -or ($params.LogonTokenCacheExpirationWindow -le $config.WindowsTokenLifetime.TotalMinutes) ) - { - $message = ("Setting LogonTokenCacheExpirationWindow to a value lower or equal as WindowsTokenLifetime or FormsTokenLifetime ist not supported. " + ` - "Please set LogonTokenCacheExpirationWindow to value higher than WindowsTokenLifetime and FormsTokenLifetime") - Add-SPDscEvent -Message $message ` - -EntryType 'Error' ` - -EventID 100 ` - -Source $MyInvocation.MyCommand.Source - throw $message - } - } - $nullReturn = @{ IsSingleInstance = "Yes" Name = $params.Name @@ -119,6 +105,7 @@ function Get-TargetResource LogonTokenCacheExpirationWindow = $params.LogonTokenCacheExpirationWindow Ensure = "Absent" } + if ($null -eq $config) { return $nullReturn @@ -208,10 +195,10 @@ function Set-TargetResource if ($PSBoundParameters.ContainsKey("LogonTokenCacheExpirationWindow") -eq $true -and ` $PSBoundParameters.ContainsKey("WindowsTokenLifetime") -eq $true) { - if ($PSBoundParameters.LogonTokenCacheExpirationWindow -le $PSBoundParameters.WindowsTokenLifetime) + if ($PSBoundParameters.LogonTokenCacheExpirationWindow -ge $PSBoundParameters.WindowsTokenLifetime) { - $message = ("Setting LogonTokenCacheExpirationWindow to a value lower or equal as WindowsTokenLifetime ist not supported. " + ` - "Please set LogonTokenCacheExpirationWindow to value higher than WindowsTokenLifetime") + $message = ("Setting LogonTokenCacheExpirationWindow to a value higher or equal as WindowsTokenLifetime is not supported. " + ` + "Please set LogonTokenCacheExpirationWindow to value lower as WindowsTokenLifetime") Add-SPDscEvent -Message $message ` -EntryType 'Error' ` -EventID 100 ` @@ -223,10 +210,10 @@ function Set-TargetResource if ($PSBoundParameters.ContainsKey("LogonTokenCacheExpirationWindow") -eq $true -and ` $PSBoundParameters.ContainsKey("FormsTokenLifetime") -eq $true) { - if ($PSBoundParameters.LogonTokenCacheExpirationWindow -le $PSBoundParameters.FormsTokenLifetime) + if ($PSBoundParameters.LogonTokenCacheExpirationWindow -ge $PSBoundParameters.FormsTokenLifetime) { - $message = ("Setting LogonTokenCacheExpirationWindow to a value lower or equal as FormsTokenLifetime ist not supported. " + ` - "Please set LogonTokenCacheExpirationWindow to value higher than FormsTokenLifetime") + $message = ("Setting LogonTokenCacheExpirationWindow to a value higher or equal as FormsTokenLifetime is not supported. " + ` + "Please set LogonTokenCacheExpirationWindow to value lower as FormsTokenLifetime") Add-SPDscEvent -Message $message ` -EntryType 'Error' ` -EventID 100 ` @@ -274,10 +261,10 @@ function Set-TargetResource if ($params.ContainsKey("LogonTokenCacheExpirationWindow")) { - if (!($params.ContainsKey("WindowsTokenLifetime")) -and ($params.LogonTokenCacheExpirationWindow -le $config.WindowsTokenLifetime.TotalMinutes)) + if (-not $params.ContainsKey("WindowsTokenLifetime") -and ($params.LogonTokenCacheExpirationWindow -ge $config.WindowsTokenLifetime.TotalMinutes)) { - $message = ("Setting LogonTokenCacheExpirationWindow to a value lower or equal as WindowsTokenLifetime ist not supported. " + ` - "Please set LogonTokenCacheExpirationWindow to value higher than WindowsTokenLifetime") + $message = ("Setting LogonTokenCacheExpirationWindow to a value higher or equal as WindowsTokenLifetime is not supported. " + ` + "Please set LogonTokenCacheExpirationWindow to value lower as WindowsTokenLifetime") Add-SPDscEvent -Message $message ` -EntryType 'Error' ` -EventID 100 ` @@ -285,10 +272,10 @@ function Set-TargetResource throw $message } - if (!($params.ContainsKey("FormsTokenLifetime")) -and ($params.LogonTokenCacheExpirationWindow -le $config.FormsTokenLifetime.TotalMinutes)) + if (-not $params.ContainsKey("FormsTokenLifetime") -and ($params.LogonTokenCacheExpirationWindow -ge $config.FormsTokenLifetime.TotalMinutes)) { - $message = ("Setting LogonTokenCacheExpirationWindow to a value lower or equal as FormsTokenLifetime ist not supported. " + ` - "Please set LogonTokenCacheExpirationWindow to value higher than FormsTokenLifetime") + $message = ("Setting LogonTokenCacheExpirationWindow to a value higher or equal as FormsTokenLifetime is not supported. " + ` + "Please set LogonTokenCacheExpirationWindow to value lower as FormsTokenLifetime") Add-SPDscEvent -Message $message ` -EntryType 'Error' ` -EventID 100 ` From 7ef4faa26ca29d0ff8801f07fdb78cabd58929ab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Lieft=C3=BCchter?= Date: Fri, 9 Apr 2021 09:20:38 +0200 Subject: [PATCH 4/4] Fixed line 77 --- .../MSFT_SPSecurityTokenServiceConfig.psm1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/SharePointDsc/DSCResources/MSFT_SPSecurityTokenServiceConfig/MSFT_SPSecurityTokenServiceConfig.psm1 b/SharePointDsc/DSCResources/MSFT_SPSecurityTokenServiceConfig/MSFT_SPSecurityTokenServiceConfig.psm1 index 58736b401..ab9ebe887 100644 --- a/SharePointDsc/DSCResources/MSFT_SPSecurityTokenServiceConfig/MSFT_SPSecurityTokenServiceConfig.psm1 +++ b/SharePointDsc/DSCResources/MSFT_SPSecurityTokenServiceConfig/MSFT_SPSecurityTokenServiceConfig.psm1 @@ -74,7 +74,7 @@ function Get-TargetResource if ($PSBoundParameters.ContainsKey("LogonTokenCacheExpirationWindow") -eq $true -and ` $PSBoundParameters.ContainsKey("FormsTokenLifetime") -eq $true) { - if ($PSBoundParameters.LogonTokenCacheExpirationWindow -le $PSBoundParameters.FormsTokenLifetime) + if ($PSBoundParameters.LogonTokenCacheExpirationWindow -ge $PSBoundParameters.FormsTokenLifetime) { $message = ("Setting LogonTokenCacheExpirationWindow to a value higher or equal as FormsTokenLifetime is not supported. " + ` "Please set LogonTokenCacheExpirationWindow to value lower as FormsTokenLifetime")