compdigit44
asked on
ASFS 3.0 Additional Claim Rules using PowerShell Problems
We are trying to add any additional claim rule on one of our ADFS relaying party trust using the command below, But keep getting the Powershell error Get-Content positional parameter cannot be found that accepts argument 'System.object"
set-adferelyingpartytrust -name ABC -additionalauthenticationr ule c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5-2xxxxxxxxxxxxxxx"] -and [Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"] -and [Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "true"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");
set-adferelyingpartytrust -name ABC -additionalauthenticationr
ASKER
Getting the message below...
Set-AdfsRelyingPartyTrust : Parameter set cannot be resolved using the specified named parameters.
At line:1 char:1
+ Set-AdfsRelyingPartyTrust -Name TrustTest1 -AdditionalAuthenticationR ules 'c: ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~ ~~~~
+ CategoryInfo : InvalidArgument: (:) [Set-AdfsRelyingPartyTrust ], ParameterBindingException
+ FullyQualifiedErrorId : AmbiguousParameterSet,Micr osoft.Iden tityServer .Managemen t.Commands .SetRelyin gPartyTrus tC
Set-AdfsRelyingPartyTrust : Parameter set cannot be resolved using the specified named parameters.
At line:1 char:1
+ Set-AdfsRelyingPartyTrust -Name TrustTest1 -AdditionalAuthenticationR
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Set-AdfsRelyingPartyTrust
+ FullyQualifiedErrorId : AmbiguousParameterSet,Micr
Can't test this. According to https://docs.microsoft.com/en-us/powershell/module/adfs/set-adfsrelyingpartytrust?view=win10-ps
Try -TargetName TrustTest1 instead of "-Name TrustTest1"
Try -TargetName TrustTest1 instead of "-Name TrustTest1"
ASKER
I get this message when using -TargetName..
Set-AdfsRelyingPartyTrust : POLICY0002: Could not parse policy data.
Line number: 1, Column number: 139, Error token: -. Line: 'c:[Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value ==
"S-1-5-21-489560845-177179 6962-20327 37499-1789 25"] -and [Type ==
"http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"] -and [Type ==
"http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "true"] => issue(Type =
"http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value =
"http://schemas.microsoft.com/claims/multipleauthn")'.
Parser error: 'POLICY0029: Unexpected input.'
At line:1 char:1
+ Set-AdfsRelyingPartyTrust -TargetName "ServiceNowDev" -AdditionalAuthenticationR ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~ ~~~~~~~~~~ ~~~~
+ CategoryInfo : NotSpecified: (Microsoft.Ident...lyingPa rtyTrust:R elyingPart yTrust) [Set-AdfsRelyingPart
yTrust], PolicyValidationException
+ FullyQualifiedErrorId : POLICY0002,Microsoft.Ident ityServer. Management .Commands. SetRelying PartyTrust Command
Set-AdfsRelyingPartyTrust : POLICY0002: Could not parse policy data.
Line number: 1, Column number: 139, Error token: -. Line: 'c:[Type ==
"http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value ==
"S-1-5-21-489560845-177179
"http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"] -and [Type ==
"http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "true"] => issue(Type =
"http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value =
"http://schemas.microsoft.com/claims/multipleauthn")'.
Parser error: 'POLICY0029: Unexpected input.'
At line:1 char:1
+ Set-AdfsRelyingPartyTrust -TargetName "ServiceNowDev" -AdditionalAuthenticationR
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (Microsoft.Ident...lyingPa
yTrust], PolicyValidationException
+ FullyQualifiedErrorId : POLICY0002,Microsoft.Ident
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
We found when we simple select the group on the MFA tab for the relaying party and check both internal and external. It prompts for MFA but does it for everyone. If we remove the internal and external access check boxes, but leave the group, it does not prompt at all.
ASKER
I found by error, it was a typo
Open in new window