0

the AWS Powershell SAML code below works without problems on all windows workstations but on all windows servers we get this error:

Use-STSRole : Credential generation from SAML authentication failed. + CategoryInfo : InvalidOperation: (Amazon.PowerShe...seSTSRoleCmdlet:UseSTSRoleCmdlet) [Use-STSRole], InvalidOperationException + FullyQualifiedErrorId : Amazon.Runtime.AmazonClientException,Amazon.PowerShell.Cmdlets.STS.UseSTSRoleCmdlet

powershell code:

Clear-AWSCredentials

Set-DefaultAWSRegion eu-west-1

$ADFSendpoint=Set-AWSSamlEndpoint -Endpoint "https://adfs.mycompany.com/adfs/ls/IdpInitiatedSignOn.aspx?loginToRp=urn:amazon:webservices" -StoreAs ADFSendpoint

Set-AWSSamlRoleProfile -EndpointName $ADFSendpoint -StoreAllRoles

Set-AWSCredentials -ProfileName "123456789012:role/MyRole"

$RoleArn = "arn:aws:iam::123456789012:role/MyRole"

$CredentialAws = (Use-STSRole -RoleArn $RoleArn -RoleSessionName "MySession").Credentials

$CredentialAws

Get-S3Bucket

This is maddening - they are otherwise identically set up, and the ADFS endpoint still works fine in a browser on the servers, but NOT in Powershell.

This used to work recently on the servers but I am unable to find out why it stopped working.

user2338909
  • 1
  • 1

1 Answers1

0

The issue is resolved.

Fiddler revealed a certificate problem (see below) and it turned out that there was two versions of root certificate "Starfield Class 2 Certification Authority" - the version on the workstations expires 2034 and the version on the servers expires 2024 - so both should be valid, but still the 2024 version shows chain with warning and the 2034 version shows chain with no warning.

So the AWS Powershell endpoint sts.amazonaws.com must have had its certificate chain changed recently to cause this symptom.

Evt. google for Powershell script to save SSL certificate to a file for a site like sts.amazonaws.com.

-----fiddler output-----

Session #6: The server (sts.amazonaws.com) presented a certificate that did not validate, due to RemoteCertificateChainErrors.

0 - A certificate chain could not be built to a trusted root authority.

1 - The revocation function was unable to check revocation for the certificate.

2 - The revocation function was unable to check revocation because the revocation server was offline.

ISSUER: CN=Amazon, OU=Server CA 1B, O=Amazon, C=US

user2338909
  • 1
  • 1