Merge pull request #1307 from ThomasLie/master

MSFT_SPSecurityTokenServiceConfig: Added properties FormsTokenLifetime, WindowsTokenLifetime and LogonTokenCacheExpirationWindow

CHANGELOG.md

@@ -4,6 +4,8 @@ The format is based on and uses the types of changes according to [Keep a Change
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
+- SPSecurityTokenServiceConfig
+  - Added support for LogonTokenCacheExpirationWindow, WindowsTokenLifetime and FormsTokenLifetime settings
 
 ### Added
 

SharePointDsc/DSCResources/MSFT_SPSecurityTokenServiceConfig/MSFT_SPSecurityTokenServiceConfig.psm1

@@ -32,6 +32,18 @@ function Get-TargetResource
         [System.Boolean]
         $AllowMetadataOverHttp = $false,
 
+        [Parameter()]
+        [System.UInt32]
+        $FormsTokenLifetime,
+
+        [Parameter()]
+        [System.UInt32]
+        $WindowsTokenLifetime,
+
+        [Parameter()]
+        [System.UInt32]
+        $LogonTokenCacheExpirationWindow,
+
         [Parameter()]
         [System.Management.Automation.PSCredential]
         $InstallAccount,
@@ -44,34 +56,72 @@ function Get-TargetResource
 
     Write-Verbose -Message "Getting Security Token Service Configuration"
 
+    if ($PSBoundParameters.ContainsKey("LogonTokenCacheExpirationWindow") -eq $true -and `
+        $PSBoundParameters.ContainsKey("WindowsTokenLifetime") -eq $true)
+    {
+        if ($PSBoundParameters.LogonTokenCacheExpirationWindow -ge $PSBoundParameters.WindowsTokenLifetime)
+        {
+            $message = ("Setting LogonTokenCacheExpirationWindow to a value higher or equal as WindowsTokenLifetime is not supported. " + `
+                    "Please set LogonTokenCacheExpirationWindow to value lower as WindowsTokenLifetime")
+            Add-SPDscEvent -Message $message `
+                -EntryType 'Error' `
+                -EventID 100 `
+                -Source $MyInvocation.MyCommand.Source
+            throw $message
+        }
+    }
+
+    if ($PSBoundParameters.ContainsKey("LogonTokenCacheExpirationWindow") -eq $true -and `
+        $PSBoundParameters.ContainsKey("FormsTokenLifetime") -eq $true)
+    {
+        if ($PSBoundParameters.LogonTokenCacheExpirationWindow -ge $PSBoundParameters.FormsTokenLifetime)
+        {
+            $message = ("Setting LogonTokenCacheExpirationWindow to a value higher or equal as FormsTokenLifetime is not supported. " + `
+                    "Please set LogonTokenCacheExpirationWindow to value lower as FormsTokenLifetime")
+            Add-SPDscEvent -Message $message `
+                -EntryType 'Error' `
+                -EventID 100 `
+                -Source $MyInvocation.MyCommand.Source
+            throw $message
+        }
+    }
+
     $result = Invoke-SPDscCommand -Credential $InstallAccount `
         -Arguments $PSBoundParameters `
         -ScriptBlock {
         $params = $args[0]
 
         $config = Get-SPSecurityTokenServiceConfig
+
         $nullReturn = @{
-            IsSingleInstance      = "Yes"
-            Name                  = $params.Name
-            NameIdentifier        = $params.NameIdentifier
-            UseSessionCookies     = $params.UseSessionCookies
-            AllowOAuthOverHttp    = $params.AllowOAuthOverHttp
-            AllowMetadataOverHttp = $params.AllowMetadataOverHttp
-            Ensure                = "Absent"
+            IsSingleInstance                = "Yes"
+            Name                            = $params.Name
+            NameIdentifier                  = $params.NameIdentifier
+            UseSessionCookies               = $params.UseSessionCookies
+            AllowOAuthOverHttp              = $params.AllowOAuthOverHttp
+            AllowMetadataOverHttp           = $params.AllowMetadataOverHttp
+            FormsTokenLifetime              = $params.FormsTokenLifetime
+            WindowsTokenLifetime            = $params.WindowsTokenLifetime
+            LogonTokenCacheExpirationWindow = $params.LogonTokenCacheExpirationWindow
+            Ensure                          = "Absent"
         }
+
         if ($null -eq $config)
         {
             return $nullReturn
         }
 
         return @{
-            IsSingleInstance      = "Yes"
-            Name                  = $config.Name
-            NameIdentifier        = $config.NameIdentifier
-            UseSessionCookies     = $config.UseSessionCookies
-            AllowOAuthOverHttp    = $config.AllowOAuthOverHttp
-            AllowMetadataOverHttp = $config.AllowMetadataOverHttp
-            Ensure                = "Present"
+            IsSingleInstance                = "Yes"
+            Name                            = $config.Name
+            NameIdentifier                  = $config.NameIdentifier
+            UseSessionCookies               = $config.UseSessionCookies
+            AllowOAuthOverHttp              = $config.AllowOAuthOverHttp
+            AllowMetadataOverHttp           = $config.AllowMetadataOverHttp
+            FormsTokenLifetime              = $config.FormsTokenLifetime.TotalMinutes
+            WindowsTokenLifetime            = $config.WindowsTokenLifetime.TotalMinutes
+            LogonTokenCacheExpirationWindow = $config.LogonTokenCacheExpirationWindow.TotalMinutes
+            Ensure                          = "Present"
         }
     }
     return $result
@@ -107,6 +157,18 @@ function Set-TargetResource
         [System.Boolean]
         $AllowMetadataOverHttp = $false,
 
+        [Parameter()]
+        [System.UInt32]
+        $FormsTokenLifetime,
+
+        [Parameter()]
+        [System.UInt32]
+        $WindowsTokenLifetime,
+
+        [Parameter()]
+        [System.UInt32]
+        $LogonTokenCacheExpirationWindow,
+
         [Parameter()]
         [System.Management.Automation.PSCredential]
         $InstallAccount,
@@ -130,6 +192,36 @@ function Set-TargetResource
         throw $message
     }
 
+    if ($PSBoundParameters.ContainsKey("LogonTokenCacheExpirationWindow") -eq $true -and `
+        $PSBoundParameters.ContainsKey("WindowsTokenLifetime") -eq $true)
+    {
+        if ($PSBoundParameters.LogonTokenCacheExpirationWindow -ge $PSBoundParameters.WindowsTokenLifetime)
+        {
+            $message = ("Setting LogonTokenCacheExpirationWindow to a value higher or equal as WindowsTokenLifetime is not supported. " + `
+                    "Please set LogonTokenCacheExpirationWindow to value lower as WindowsTokenLifetime")
+            Add-SPDscEvent -Message $message `
+                -EntryType 'Error' `
+                -EventID 100 `
+                -Source $MyInvocation.MyCommand.Source
+            throw $message
+        }
+    }
+
+    if ($PSBoundParameters.ContainsKey("LogonTokenCacheExpirationWindow") -eq $true -and `
+        $PSBoundParameters.ContainsKey("FormsTokenLifetime") -eq $true)
+    {
+        if ($PSBoundParameters.LogonTokenCacheExpirationWindow -ge $PSBoundParameters.FormsTokenLifetime)
+        {
+            $message = ("Setting LogonTokenCacheExpirationWindow to a value higher or equal as FormsTokenLifetime is not supported. " + `
+                    "Please set LogonTokenCacheExpirationWindow to value lower as FormsTokenLifetime")
+            Add-SPDscEvent -Message $message `
+                -EntryType 'Error' `
+                -EventID 100 `
+                -Source $MyInvocation.MyCommand.Source
+            throw $message
+        }
+    }
+
     Invoke-SPDscCommand -Credential $InstallAccount `
         -Arguments $PSBoundParameters `
         -ScriptBlock {
@@ -157,6 +249,43 @@ function Set-TargetResource
             $config.AllowMetadataOverHttp = $params.AllowMetadataOverHttp
         }
 
+        if ($params.ContainsKey("FormsTokenLifetime"))
+        {
+            $config.FormsTokenLifetime = (New-TimeSpan -Minutes $params.FormsTokenLifetime)
+        }
+
+        if ($params.ContainsKey("WindowsTokenLifetime"))
+        {
+            $config.WindowsTokenLifetime = (New-TimeSpan -Minutes $params.WindowsTokenLifetime)
+        }
+
+        if ($params.ContainsKey("LogonTokenCacheExpirationWindow"))
+        {
+            if (-not $params.ContainsKey("WindowsTokenLifetime") -and ($params.LogonTokenCacheExpirationWindow -ge $config.WindowsTokenLifetime.TotalMinutes))
+            {
+                $message = ("Setting LogonTokenCacheExpirationWindow to a value higher or equal as WindowsTokenLifetime is not supported. " + `
+                            "Please set LogonTokenCacheExpirationWindow to value lower as WindowsTokenLifetime")
+                Add-SPDscEvent -Message $message `
+                    -EntryType 'Error' `
+                    -EventID 100 `
+                    -Source $MyInvocation.MyCommand.Source
+                throw $message
+            }
+
+            if (-not $params.ContainsKey("FormsTokenLifetime") -and ($params.LogonTokenCacheExpirationWindow -ge $config.FormsTokenLifetime.TotalMinutes))
+            {
+                $message = ("Setting LogonTokenCacheExpirationWindow to a value higher or equal as FormsTokenLifetime is not supported. " + `
+                            "Please set LogonTokenCacheExpirationWindow to value lower as FormsTokenLifetime")
+                Add-SPDscEvent -Message $message `
+                    -EntryType 'Error' `
+                    -EventID 100 `
+                    -Source $MyInvocation.MyCommand.Source
+                throw $message
+            }
+
+            $config.LogonTokenCacheExpirationWindow = (New-TimeSpan -Minutes $params.LogonTokenCacheExpirationWindow)
+        }
+
         $config.Update()
     }
 }
@@ -192,6 +321,18 @@ function Test-TargetResource
         [System.Boolean]
         $AllowMetadataOverHttp = $false,
 
+        [Parameter()]
+        [System.UInt32]
+        $FormsTokenLifetime,
+
+        [Parameter()]
+        [System.UInt32]
+        $WindowsTokenLifetime,
+
+        [Parameter()]
+        [System.UInt32]
+        $LogonTokenCacheExpirationWindow,
+
         [Parameter()]
         [System.Management.Automation.PSCredential]
         $InstallAccount,
@@ -218,7 +359,10 @@ function Test-TargetResource
         "NameIdentifier",
         "UseSessionCookies",
         "AllowOAuthOverHttp",
-        "AllowMetadataOverHttp")
+        "AllowMetadataOverHttp",
+        "FormsTokenLifetime",
+        "WindowsTokenLifetime",
+        "LogonTokenCacheExpirationWindow")
 
     Write-Verbose -Message "Test-TargetResource returned $result"
 

SharePointDsc/DSCResources/MSFT_SPSecurityTokenServiceConfig/MSFT_SPSecurityTokenServiceConfig.schema.mof

@@ -7,6 +7,9 @@ class MSFT_SPSecurityTokenServiceConfig : OMI_BaseResource
     [Write, Description("True set the security token service to use cookies")] Boolean UseSessionCookies;
     [Write, Description("True set the security token service to allow OAuth over HTTP")] Boolean AllowOAuthOverHttp;
     [Write, Description("True set the security token service to allow metadata exchange over HTTP")] Boolean AllowMetadataOverHttp;
+    [Write, Description("Timespan in minutes to set FormsTokenLifetime")] UInt32 FormsTokenLifetime;
+    [Write, Description("Timespan in minutes to set WindowsTokenLifetime")] UInt32 WindowsTokenLifetime;
+    [Write, Description("Timespan in minutes to set LogonTokenCacheExpirationWindow")] UInt32 LogonTokenCacheExpirationWindow;
     [Write, Description("Present ensures the configurations are applied"), ValueMap{"Present","Absent"}, Values{"Present","Absent"}] string Ensure;
     [Write, Description("POWERSHELL 4 ONLY: The account to run this resource as, use PsDscRunAsCredential if using PowerShell 5"), EmbeddedInstance("MSFT_Credential")] String InstallAccount;
 };

SharePointDsc/DSCResources/MSFT_SPSecurityTokenServiceConfig/readme.md

@@ -6,3 +6,8 @@
 This resource is responsible for configuring the Security Token Service within
 the local SharePoint farm. Using Ensure equals to Absent is not supported.
 This resource can only apply configuration, not ensure they don't exist.
+
+This resource is also able to set the properties FormsTokenLifetime, WindowsTokenLifetime and LogonTokenCacheExpirationWindow.
+It checks for values leading to "The context has expired and can no longer be used." errors.
+The value for LogonTokenCacheExpirationWindow must be higher than the values for FormsTokenLifetime and WindowsTokenLifetime,
+it will return an error if not.