Friday, June 29, 2012

Powershell : Setting credentials for a web request

Trying to get through a proxy and getting the dreaded “407 – Proxy Authentication Required.
The solution is to use:

$wcl = New-Object Net.Webclient
$wcl.Credentials = new-object Net.NetworkCredential("login", "password", "domain")
$wcl.Proxy.Credentials = new-object Net.NetworkCredential(("login", "password", "domain"); 

And suddenly we’re through the proxy and all is good!


Thursday, June 21, 2012

ADFS : Sending groups as claims


When you are configuring the claims rules in ADFS, you have a number of options for sending AD groups.

You can send them all at once – “Send LDAP Attributes as Claims” or you can send then individually – “Send Group Membership as a Claim”.

In the latter case, you get to “clean” the name up.

e.g. you can have a group called “TN-W2008-Test-Marketing-Editor” because of some company naming convention but you can configure the claim to be of type:

http// with a value of “MarketingEditor”.

The downside with this is that if the groups are deleted or renamed, you have to manually reconfigure ADFS.

For the former, ADFS simply sends the whole lot. If a group is renamed, it simply sends the new name.

There are a number of options for the groups i.e.

Token-Groups as SIDs

Token-Groups - Qualified by Domain Name

Token-Groups - Qualified by Long Domain Name

Token-Groups - Unqualified Names

If you gave a group called Editor with a SID of S-1-5-21-3794324387-748717723-962058466-1466 and a domain of (and assuming you map them all to a type of “role”) then the four different types result in:

…identity/claims/role = S-1-5-21-3794324387-748717723-962058466-1466

…identity/claims/role = company\Editor

…identity/claims/role =\Editor

…identity/claims/role = Editor

Note that you get a role claim per group. If the user is a memberof 6 groups, they will get six separate claims of type “role”. This includes the default claim of “Domain Users”.