我正在尝试使用基于证书的 oauth 创建到 Exchange 在线管理 powershell 模块的远程连接。但是,无论我如何创建自签名证书,我都会收到访问被拒绝的错误。我会注意到,我可以成功地将用户名/密码组合交换为 oauth token ,然后使用该 token 对 powershell 模块进行身份验证。
我正在像 Windows powershell 中一样创建自签名证书:
$cert=New-SelfSignedCertificate -Subject "<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="8fccc1b2e8fdeeffe7a2eeffe6cff9eafde6ebe6e1eafba1ece0e2" rel="noreferrer noopener nofollow">[email protected]</a>,O=veridinet.onmicrosoft.com,OU=veridinet.onmicrosoft.com,<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="94c1c4daa9f3e6f5e4fcb9f5e4fdd4e2f1e6fdf0fdfaf1e0baf7fbf9" rel="noreferrer noopener nofollow">[email protected]</a>" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature
然后,我使用 Windows certmgr 工具导出此证书。然后,我使用 azure 广告应用程序门户将该证书上传到我的应用程序。上传后,我会收到证书指纹。
然后,我尝试使用该指纹通过一些 c# 代码接收 oauth token (这需要 Microsoft.IdentityModel.Clients.ActiveDirectory.dll 和 Microsoft.Exchange.Management.AdminApiProvider .dll 作为依赖项):
var clientAppId = "<my_client_app_id_here>";
var clientAppRedirectUri = new Uri("https://login.microsoftonline.com/common/oauth2/nativeclient");
var defaultConnectionUri = "https://outlook.office365.com";
var defaultAzureAuthEndpointUri = "https://login.microsoftonline.com/<my_tenant_id_here>";
var certThumbprint = "<my_cert_thumbprint_here>";
TokenProviderContext context = new TokenProviderContext(AuthType.Default, clientAppId, defaultAzureAuthEndpointUri, defaultConnectionUri, null, null, null, null, certThumbprint, null, clientAppRedirectUri);
TokenInformation tokenInformation = TokenProviderFactory.Instance.CreateTokenProvider(context).GetAccessToken();
Console.WriteLine(tokenInformation.AuthorizationHeader);
Console.WriteLine(tokenInformation.UserPrincipalName);
此代码将向控制台写入一个 token 。但它输出的 UserPrincipalName 不是我在证书主题行中提供的 UPN,我怀疑这是一个问题。
无论如何,我然后尝试连接到交换管理模块,如下所示:
$password = ConvertTo-SecureString -AsPlainText <access_token_from_above_code_here> -Force
$username = "<a href="https://stackoverflow.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="bddacfdccdd590dccdd4fdcbd8cfd4d9d4d3d8c993ded2d0" rel="noreferrer noopener nofollow">[email protected]</a>"
$mycreds = New-Object -TypeName PSCredential -ArgumentList $username, $password
$pssession = New-PSSession -AllowRedirection -Authentication "Basic" -ConfigurationName "Microsoft.Exchange" -ConnectionUri "https://outlook.office365.com/PowerShell-LiveID?BasicAuthToOAuthConversion=true&HideBannerMessage=true" -Credential $mycreds -Name "ExchangeOnlineInternalSession_1"
上述命令会导致访问被拒绝错误,我的猜测是因为 UPN 未正确编码到 token 中,但我很难正确编码。
最佳答案
Exchange Online 不再接受-Authentication "Basic"...如果可能,请改用Connect-ExchangeOnline:
Connect-ExchangeOnline -CertificateThumbPrint "xxxxx" -AppID "xxxx-xxxxxx" -Organization "YourTenantName.onmicrosoft.com"
了解更多信息,请访问Exchange Online Powershell
关于c# - Exchange Online 管理 Powershell 模块和证书 Oauth,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/62781876/