DSCResources/MSFT_xExchActiveSyncVirtualDirectory/MSFT_xExchActiveSyncVirtualDirectory.psm1

function Get-TargetResource
{
    [CmdletBinding()]
    [OutputType([System.Collections.Hashtable])]
    param
    (
        [Parameter(Mandatory = $true)]
        [System.String]
        $Identity,

        [Parameter(Mandatory = $true)]
        [System.Management.Automation.PSCredential]
        [System.Management.Automation.Credential()]
        $Credential,

        [Parameter()]
        [System.Boolean]
        $AllowServiceRestart = $false,

        [Parameter()]
        [System.Boolean]
        $AutoCertBasedAuth = $false,

        [Parameter()]
        [System.String]
        $AutoCertBasedAuthThumbprint,

        [Parameter()]
        [System.String[]]
        $AutoCertBasedAuthHttpsBindings = @('0.0.0.0:443', '127.0.0.1:443'),

        [Parameter()]
        [System.String]
        $ActiveSyncServer,

        [Parameter()]
        [System.Boolean]
        $BadItemReportingEnabled,

        [Parameter()]
        [System.Boolean]
        $BasicAuthEnabled,

        [Parameter()]
        [ValidateSet('Ignore', 'Accepted', 'Required')]
        [System.String]
        $ClientCertAuth,

        [Parameter()]
        [System.Boolean]
        $CompressionEnabled,

        [Parameter()]
        [System.String]
        $DomainController,

        [Parameter()]
        [ValidateSet('None', 'Proxy', 'NoServiceNameCheck', 'AllowDotlessSpn', 'ProxyCohosting')]
        [System.String[]]
        $ExtendedProtectionFlags,

        [Parameter()]
        [System.String[]]
        $ExtendedProtectionSPNList,

        [Parameter()]
        [ValidateSet('None', 'Allow', 'Require')]
        [System.String]
        $ExtendedProtectionTokenChecking,

        [Parameter()]
        [System.String[]]
        $ExternalAuthenticationMethods,

        [Parameter()]
        [System.String]
        $ExternalUrl,

        [Parameter()]
        [System.Boolean]
        $InstallIsapiFilter,

        [Parameter()]
        [System.String[]]
        $InternalAuthenticationMethods,

        [Parameter()]
        [System.String]
        $InternalUrl,

        [Parameter()]
        [System.String]
        $MobileClientCertificateAuthorityURL,

        [Parameter()]
        [System.Boolean]
        $MobileClientCertificateProvisioningEnabled,

        [Parameter()]
        [System.String]
        $MobileClientCertTemplateName,

        [Parameter()]
        [System.String]
        $Name,

        [Parameter()]
        [ValidateSet('Allow', 'Block')]
        [System.String]
        $RemoteDocumentsActionForUnknownServers,

        [Parameter()]
        [System.String[]]
        $RemoteDocumentsAllowedServers,

        [Parameter()]
        [System.String[]]
        $RemoteDocumentsBlockedServers,

        [Parameter()]
        [System.String[]]
        $RemoteDocumentsInternalDomainSuffixList,

        [Parameter()]
        [System.Boolean]
        $SendWatsonReport,

        [Parameter()]
        [System.Boolean]
        $WindowsAuthEnabled
    )

    Write-Verbose -Message 'Getting the Exchange ActiveSyncVirtualDirectory settings'

    Write-FunctionEntry -Parameters @{
        'Identity' = $Identity
    } -Verbose:$VerbosePreference

    # Establish remote PowerShell session
    Get-RemoteExchangeSession -Credential $Credential -CommandsToLoad 'Get-ActiveSyncVirtualDirectory' -Verbose:$VerbosePreference

    $easVdir = Get-ActiveSyncVirtualDirectoryInternal @PSBoundParameters

    if ($null -ne $easVdir)
    {
        $returnValue = @{
            Identity                                   = [System.String] $Identity
            ActiveSyncServer                           = [System.String] $easVdir.ActiveSyncServer
            BadItemReportingEnabled                    = [System.Boolean] $easVdir.BadItemReportingEnabled
            BasicAuthEnabled                           = [System.Boolean] $easVdir.BasicAuthEnabled
            ClientCertAuth                             = [System.String] $easVdir.ClientCertAuth
            CompressionEnabled                         = [System.Boolean] $easVdir.CompressionEnabled
            ExtendedProtectionFlags                    = [System.String[]] $easVdir.ExtendedProtectionFlags
            ExtendedProtectionSPNList                  = [System.String[]] $easVdir.ExtendedProtectionSPNList
            ExtendedProtectionTokenChecking            = [System.String] ($easVdir.ExtendedProtectionTokenChecking)
            ExternalAuthenticationMethods              = [System.String[]] $easVdir.ExternalAuthenticationMethods
            ExternalUrl                                = [System.String] $easVdir.ExternalUrl.AbsoluteUri
            InstallIsapiFilter                         = [System.Boolean] (Test-ISAPIFilter)
            InternalAuthenticationMethods              = [System.String[]] $easVdir.InternalAuthenticationMethods
            InternalUrl                                = [System.String] $easVdir.InternalUrl.AbsoluteUri
            MobileClientCertificateAuthorityURL        = [System.String] $easVdir.MobileClientCertificateAuthorityURL
            MobileClientCertificateProvisioningEnabled = [System.Boolean] $easVdir.MobileClientCertificateProvisioningEnabled
            MobileClientCertTemplateName               = [System.String] $easVdir.MobileClientCertTemplateName
            Name                                       = [System.String] $easVdir.Name
            RemoteDocumentsActionForUnknownServers     = [System.String] $easVdir.RemoteDocumentsActionForUnknownServers
            RemoteDocumentsAllowedServers              = [System.String[]] $easVdir.RemoteDocumentsAllowedServers
            RemoteDocumentsBlockedServers              = [System.String[]] $easVdir.RemoteDocumentsBlockedServers
            RemoteDocumentsInternalDomainSuffixList    = [System.String[]] $easVdir.RemoteDocumentsInternalDomainSuffixList
            SendWatsonReport                           = [System.Boolean] $easVdir.SendWatsonReport
            WindowsAuthEnabled                         = [System.Boolean] $easVdir.WindowsAuthEnabled
        }
    }

    $returnValue
}

function Set-TargetResource
{
    [CmdletBinding()]
    param
    (
        [Parameter(Mandatory = $true)]
        [System.String]
        $Identity,

        [Parameter(Mandatory = $true)]
        [System.Management.Automation.PSCredential]
        [System.Management.Automation.Credential()]
        $Credential,

        [Parameter()]
        [System.Boolean]
        $AllowServiceRestart = $false,

        [Parameter()]
        [System.Boolean]
        $AutoCertBasedAuth = $false,

        [Parameter()]
        [System.String]
        $AutoCertBasedAuthThumbprint,

        [Parameter()]
        [System.String[]]
        $AutoCertBasedAuthHttpsBindings = @('0.0.0.0:443', '127.0.0.1:443'),

        [Parameter()]
        [System.String]
        $ActiveSyncServer,

        [Parameter()]
        [System.Boolean]
        $BadItemReportingEnabled,

        [Parameter()]
        [System.Boolean]
        $BasicAuthEnabled,

        [Parameter()]
        [ValidateSet('Ignore', 'Accepted', 'Required')]
        [System.String]
        $ClientCertAuth,

        [Parameter()]
        [System.Boolean]
        $CompressionEnabled,

        [Parameter()]
        [System.String]
        $DomainController,

        [Parameter()]
        [ValidateSet('None', 'Proxy', 'NoServiceNameCheck', 'AllowDotlessSpn', 'ProxyCohosting')]
        [System.String[]]
        $ExtendedProtectionFlags,

        [Parameter()]
        [System.String[]]
        $ExtendedProtectionSPNList,

        [Parameter()]
        [ValidateSet('None', 'Allow', 'Require')]
        [System.String]
        $ExtendedProtectionTokenChecking,

        [Parameter()]
        [System.String[]]
        $ExternalAuthenticationMethods,

        [Parameter()]
        [System.String]
        $ExternalUrl,

        [Parameter()]
        [System.Boolean]
        $InstallIsapiFilter,

        [Parameter()]
        [System.String[]]
        $InternalAuthenticationMethods,

        [Parameter()]
        [System.String]
        $InternalUrl,

        [Parameter()]
        [System.String]
        $MobileClientCertificateAuthorityURL,

        [Parameter()]
        [System.Boolean]
        $MobileClientCertificateProvisioningEnabled,

        [Parameter()]
        [System.String]
        $MobileClientCertTemplateName,

        [Parameter()]
        [System.String]
        $Name,

        [Parameter()]
        [ValidateSet('Allow', 'Block')]
        [System.String]
        $RemoteDocumentsActionForUnknownServers,

        [Parameter()]
        [System.String[]]
        $RemoteDocumentsAllowedServers,

        [Parameter()]
        [System.String[]]
        $RemoteDocumentsBlockedServers,

        [Parameter()]
        [System.String[]]
        $RemoteDocumentsInternalDomainSuffixList,

        [Parameter()]
        [System.Boolean]
        $SendWatsonReport,

        [Parameter()]
        [System.Boolean]
        $WindowsAuthEnabled
    )

    Write-Verbose -Message 'Setting the Exchange ActiveSyncVirtualDirectory settings'

    Write-FunctionEntry -Parameters @{
        'Identity' = $Identity
    } -Verbose:$VerbosePreference

    # Establish remote PowerShell session
    Get-RemoteExchangeSession -Credential $Credential -CommandsToLoad 'Set-ActiveSyncVirtualDirectory' -Verbose:$VerbosePreference

    # Ensure an empty string is $null and not a string
    Set-EmptyStringParamsToNull -PSBoundParametersIn $PSBoundParameters

    # Remove Credential and AllowServiceRestart because those parameters do not exist on Set-ActiveSyncVirtualDirectory
    Remove-FromPSBoundParametersUsingHashtable -PSBoundParametersIn $PSBoundParameters -ParamsToRemove 'Credential', 'AllowServiceRestart', 'AutoCertBasedAuth', 'AutoCertBasedAuthThumbprint', 'AutoCertBasedAuthHttpsBindings'

    # Verify SPNs depending on AllowDotlesSPN
    if ( -not (Test-ExtendedProtectionSPNList -SPNList $ExtendedProtectionSPNList -Flags $ExtendedProtectionFlags))
    {
        throw 'SPN list contains DotlesSPN, but AllowDotlessSPN is not added to ExtendedProtectionFlags or invalid combination was used!'
    }

    # Configure everything but CBA
    Set-ActiveSyncVirtualDirectory @PSBoundParameters

    if ($AutoCertBasedAuth)
    {
        # Need to configure CBA
        Test-PreReqsForCertBasedAuth

        if (-not ([System.String]::IsNullOrEmpty($AutoCertBasedAuthThumbprint)))
        {
            Enable-CertBasedAuth -AutoCertBasedAuthThumbprint $AutoCertBasedAuthThumbprint -AutoCertBasedAuthHttpsBindings $AutoCertBasedAuthHttpsBindings
        }
        else
        {
            throw 'AutoCertBasedAuthThumbprint must be specified when AutoCertBasedAuth is set to true'
        }

        if ($AllowServiceRestart)
        {
            # Need to restart all of IIS for auth settings to stick
            Write-Verbose -Message 'Restarting IIS'

            iisreset /noforce /timeout:300
        }
        else
        {
            Write-Warning -Message 'The configuration will not take effect until IISReset /noforce is run.'
        }
    }

    # Only bounce the app pool if we didn't already restart IIS for CBA
    if (-not $AutoCertBasedAuth)
    {
        if ($AllowServiceRestart)
        {
            Write-Verbose -Message 'Recycling MSExchangeSyncAppPool'

            Restart-ExistingAppPool -Name MSExchangeSyncAppPool
        }
        else
        {
            Write-Warning -Message 'The configuration will not take effect until MSExchangeSyncAppPool is manually recycled.'
        }
    }

    # Install IsapiFilter manually as workaround as Exchange Cmdlet doesn't do it
    if ($InstallIsapiFilter)
    {
        if (-not (Test-ISAPIFilter))
        {
            Add-WebConfigurationProperty -PSPath 'MACHINE/WEBROOT/APPHOST' `
                -Location 'Default Web Site' `
                -Filter 'system.webServer/isapiFilters' `
                -Name '.' `
                -value @{
                    name = 'Exchange ActiveSync ISAPI Filter'
                    path = "$env:ExchangeInstallPath\FrontEnd\HttpProxy\bin\AirFilter.dll"
            }
        }
    }
}

function Test-TargetResource
{
    [CmdletBinding()]
    [OutputType([System.Boolean])]
    param
    (
        [Parameter(Mandatory = $true)]
        [System.String]
        $Identity,

        [Parameter(Mandatory = $true)]
        [System.Management.Automation.PSCredential]
        [System.Management.Automation.Credential()]
        $Credential,

        [Parameter()]
        [System.Boolean]
        $AllowServiceRestart = $false,

        [Parameter()]
        [System.Boolean]
        $AutoCertBasedAuth = $false,

        [Parameter()]
        [System.String]
        $AutoCertBasedAuthThumbprint,

        [Parameter()]
        [System.String[]]
        $AutoCertBasedAuthHttpsBindings = @('0.0.0.0:443', '127.0.0.1:443'),

        [Parameter()]
        [System.String]
        $ActiveSyncServer,

        [Parameter()]
        [System.Boolean]
        $BadItemReportingEnabled,

        [Parameter()]
        [System.Boolean]
        $BasicAuthEnabled,

        [Parameter()]
        [ValidateSet('Ignore', 'Accepted', 'Required')]
        [System.String]
        $ClientCertAuth,

        [Parameter()]
        [System.Boolean]
        $CompressionEnabled,

        [Parameter()]
        [System.String]
        $DomainController,

        [Parameter()]
        [ValidateSet('None', 'Proxy', 'NoServiceNameCheck', 'AllowDotlessSpn', 'ProxyCohosting')]
        [System.String[]]
        $ExtendedProtectionFlags,

        [Parameter()]
        [System.String[]]
        $ExtendedProtectionSPNList,

        [Parameter()]
        [ValidateSet('None', 'Allow', 'Require')]
        [System.String]
        $ExtendedProtectionTokenChecking,

        [Parameter()]
        [System.String[]]
        $ExternalAuthenticationMethods,

        [Parameter()]
        [System.String]
        $ExternalUrl,

        [Parameter()]
        [System.Boolean]
        $InstallIsapiFilter,

        [Parameter()]
        [System.String[]]
        $InternalAuthenticationMethods,

        [Parameter()]
        [System.String]
        $InternalUrl,

        [Parameter()]
        [System.String]
        $MobileClientCertificateAuthorityURL,

        [Parameter()]
        [System.Boolean]
        $MobileClientCertificateProvisioningEnabled,

        [Parameter()]
        [System.String]
        $MobileClientCertTemplateName,

        [Parameter()]
        [System.String]
        $Name,

        [Parameter()]
        [ValidateSet('Allow', 'Block')]
        [System.String]
        $RemoteDocumentsActionForUnknownServers,

        [Parameter()]
        [System.String[]]
        $RemoteDocumentsAllowedServers,

        [Parameter()]
        [System.String[]]
        $RemoteDocumentsBlockedServers,

        [Parameter()]
        [System.String[]]
        $RemoteDocumentsInternalDomainSuffixList,

        [Parameter()]
        [System.Boolean]
        $SendWatsonReport,

        [Parameter()]
        [System.Boolean]
        $WindowsAuthEnabled
    )

    Write-Verbose -Message 'Testing the Exchange ActiveSyncVirtualDirectory settings'

    Write-FunctionEntry -Parameters @{
        'Identity' = $Identity
    } -Verbose:$VerbosePreference

    # Establish remote PowerShell session
    Get-RemoteExchangeSession -Credential $Credential -CommandsToLoad 'Get-ActiveSyncVirtualDirectory' -Verbose:$VerbosePreference

    # Ensure an empty string is $null and not a string
    Set-EmptyStringParamsToNull -PSBoundParametersIn $PSBoundParameters

    $easVdir = Get-ActiveSyncVirtualDirectoryInternal @PSBoundParameters

    $testResults = $true

    if ($null -eq $easVdir)
    {
        Write-Error -Message 'Unable to retrieve ActiveSync Virtual Directory for server'

        $testResults = $false
    }
    else
    {
        if (-not (Test-ExchangeSetting -Name 'ActiveSyncServer' -Type 'String' -ExpectedValue $ActiveSyncServer -ActualValue $easVdir.ActiveSyncServer -PSBoundParametersIn $PSBoundParameters -Verbose:$VerbosePreference))
        {
            $testResults = $false
        }

        if (-not (Test-ExchangeSetting -Name 'BadItemReportingEnabled' -Type 'Boolean' -ExpectedValue $BadItemReportingEnabled -ActualValue $easVdir.BadItemReportingEnabled -PSBoundParametersIn $PSBoundParameters -Verbose:$VerbosePreference))
        {
            $testResults = $false
        }

        if (-not (Test-ExchangeSetting -Name 'BasicAuthEnabled' -Type 'Boolean' -ExpectedValue $BasicAuthEnabled -ActualValue $easVdir.BasicAuthEnabled -PSBoundParametersIn $PSBoundParameters -Verbose:$VerbosePreference))
        {
            $testResults = $false
        }

        if (-not (Test-ExchangeSetting -Name 'ClientCertAuth' -Type 'String' -ExpectedValue $ClientCertAuth -ActualValue $easVdir.ClientCertAuth -PSBoundParametersIn $PSBoundParameters -Verbose:$VerbosePreference))
        {
            $testResults = $false
        }

        if (-not (Test-ExchangeSetting -Name 'CompressionEnabled' -Type 'Boolean' -ExpectedValue $CompressionEnabled -ActualValue $easVdir.CompressionEnabled -PSBoundParametersIn $PSBoundParameters -Verbose:$VerbosePreference))
        {
            $testResults = $false
        }

        if (-not (Test-ExchangeSetting -Name 'ExtendedProtectionFlags' -Type 'ExtendedProtection' -ExpectedValue $ExtendedProtectionFlags -ActualValue $easVdir.ExtendedProtectionFlags -PSBoundParametersIn $PSBoundParameters -Verbose:$VerbosePreference))
        {
            $testResults = $false
        }

        if (-not (Test-ExchangeSetting -Name 'ExtendedProtectionSPNList' -Type 'Array' -ExpectedValue $ExtendedProtectionSPNList -ActualValue $easVdir.ExtendedProtectionSPNList -PSBoundParametersIn $PSBoundParameters -Verbose:$VerbosePreference))
        {
            $testResults = $false
        }

        if (-not (Test-ExchangeSetting -Name 'ExtendedProtectionTokenChecking' -Type 'String' -ExpectedValue $ExtendedProtectionTokenChecking -ActualValue $easVdir.ExtendedProtectionTokenChecking -PSBoundParametersIn $PSBoundParameters -Verbose:$VerbosePreference))
        {
            $testResults = $false
        }

        if (-not (Test-ExchangeSetting -Name 'ExternalAuthenticationMethods' -Type 'Array' -ExpectedValue $ExternalAuthenticationMethods -ActualValue $easVdir.ExternalAuthenticationMethods -PSBoundParametersIn $PSBoundParameters -Verbose:$VerbosePreference))
        {
            $testResults = $false
        }

        if (-not (Test-ExchangeSetting -Name 'ExternalUrl' -Type 'String' -ExpectedValue $ExternalUrl -ActualValue $easVdir.ExternalUrl.AbsoluteUri -PSBoundParametersIn $PSBoundParameters -Verbose:$VerbosePreference))
        {
            $testResults = $false
        }

        if (-not (Test-ExchangeSetting -Name 'InternalAuthenticationMethods' -Type 'Array' -ExpectedValue $InternalAuthenticationMethods -ActualValue $easVdir.InternalAuthenticationMethods -PSBoundParametersIn $PSBoundParameters -Verbose:$VerbosePreference))
        {
            $testResults = $false
        }

        if (-not (Test-ExchangeSetting -Name 'InternalUrl' -Type 'String' -ExpectedValue $InternalUrl -ActualValue $easVdir.InternalUrl.AbsoluteUri -PSBoundParametersIn $PSBoundParameters -Verbose:$VerbosePreference))
        {
            $testResults = $false
        }

        if (-not (Test-ExchangeSetting -Name 'MobileClientCertificateAuthorityURL' -Type 'String' -ExpectedValue $MobileClientCertificateAuthorityURL -ActualValue $easVdir.MobileClientCertificateAuthorityURL -PSBoundParametersIn $PSBoundParameters -Verbose:$VerbosePreference))
        {
            $testResults = $false
        }

        if (-not (Test-ExchangeSetting -Name 'MobileClientCertificateProvisioningEnabled' -Type 'Boolean' -ExpectedValue $MobileClientCertificateProvisioningEnabled -ActualValue $easVdir.MobileClientCertificateProvisioningEnabled -PSBoundParametersIn $PSBoundParameters -Verbose:$VerbosePreference))
        {
            $testResults = $false
        }

        if (-not (Test-ExchangeSetting -Name 'MobileClientCertTemplateName' -Type 'String' -ExpectedValue $MobileClientCertTemplateName -ActualValue $easVdir.MobileClientCertTemplateName -PSBoundParametersIn $PSBoundParameters -Verbose:$VerbosePreference))
        {
            $testResults = $false
        }

        if (-not (Test-ExchangeSetting -Name 'Name' -Type 'String' -ExpectedValue $Name -ActualValue $easVdir.Name -PSBoundParametersIn $PSBoundParameters -Verbose:$VerbosePreference))
        {
            $testResults = $false
        }

        if (-not (Test-ExchangeSetting -Name 'RemoteDocumentsActionForUnknownServers' -Type 'String' -ExpectedValue $RemoteDocumentsActionForUnknownServers -ActualValue $easVdir.RemoteDocumentsActionForUnknownServers -PSBoundParametersIn $PSBoundParameters -Verbose:$VerbosePreference))
        {
            $testResults = $false
        }

        if (-not (Test-ExchangeSetting -Name 'RemoteDocumentsAllowedServers' -Type 'Array' -ExpectedValue $RemoteDocumentsAllowedServers -ActualValue $easVdir.RemoteDocumentsAllowedServers -PSBoundParametersIn $PSBoundParameters -Verbose:$VerbosePreference))
        {
            $testResults = $false
        }

        if (-not (Test-ExchangeSetting -Name 'RemoteDocumentsBlockedServers' -Type 'Array' -ExpectedValue $RemoteDocumentsBlockedServers -ActualValue $easVdir.RemoteDocumentsBlockedServers -PSBoundParametersIn $PSBoundParameters -Verbose:$VerbosePreference))
        {
            $testResults = $false
        }

        if (-not (Test-ExchangeSetting -Name 'RemoteDocumentsInternalDomainSuffixList' -Type 'Array' -ExpectedValue $RemoteDocumentsInternalDomainSuffixList -ActualValue $easVdir.RemoteDocumentsInternalDomainSuffixList -PSBoundParametersIn $PSBoundParameters -Verbose:$VerbosePreference))
        {
            $testResults = $false
        }

        if (-not (Test-ExchangeSetting -Name 'SendWatsonReport' -Type 'Boolean' -ExpectedValue $SendWatsonReport -ActualValue $easVdir.SendWatsonReport -PSBoundParametersIn $PSBoundParameters -Verbose:$VerbosePreference))
        {
            $testResults = $false
        }

        if (-not (Test-ExchangeSetting -Name 'WindowsAuthEnabled' -Type 'Boolean' -ExpectedValue $WindowsAuthEnabled -ActualValue $easVdir.WindowsAuthEnabled -PSBoundParametersIn $PSBoundParameters -Verbose:$VerbosePreference))
        {
            $testResults = $false
        }

        if ($AutoCertBasedAuth)
        {
            Test-PreReqsForCertBasedAuth

            if ([System.String]::IsNullOrEmpty($AutoCertBasedAuthThumbprint))
            {
                Write-InvalidSettingVerbose -SettingName 'AutoCertBasedAuthThumbprint' `
                    -ExpectedValue 'Not null or empty' `
                    -ActualValue '' `
                    -Verbose:$VerbosePreference
                $testResults = $false
            }
            elseif ($null -eq $AutoCertBasedAuthHttpsBindings -or $AutoCertBasedAuthHttpsBindings.Count -eq 0)
            {
                Write-InvalidSettingVerbose -SettingName 'AutoCertBasedAuthHttpsBindings' `
                    -ExpectedValue 'Not null or empty' `
                    -ActualValue '' `
                    -Verbose:$VerbosePreference
                $testResults = $false
            }
            elseif ((Test-CertBasedAuth -AutoCertBasedAuthThumbprint $AutoCertBasedAuthThumbprint -AutoCertBasedAuthHttpsBindings $AutoCertBasedAuthHttpsBindings) -eq $false)
            {
                Write-InvalidSettingVerbose -SettingName 'TestCertBasedAuth' `
                    -ExpectedValue $true `
                    -ActualValue $false `
                    -Verbose:$VerbosePreference
                $testResults = $false
            }
        }

        if ($InstallIsapiFilter)
        {
            if (-not (Test-ISAPIFilter))
            {
                Write-InvalidSettingVerbose -SettingName 'InstallIsapiFilter' -ExpectedValue $InstallIsapiFilter -ActualValue 'false' -Verbose:$VerbosePreference
                $testResults = $false
            }
        }
    }

    return $testResults
}

function Get-ActiveSyncVirtualDirectoryInternal
{
    [CmdletBinding()]
    param
    (
        [Parameter(Mandatory = $true)]
        [System.String]
        $Identity,

        [Parameter(Mandatory = $true)]
        [System.Management.Automation.PSCredential]
        [System.Management.Automation.Credential()]
        $Credential,

        [Parameter()]
        [System.Boolean]
        $AllowServiceRestart = $false,

        [Parameter()]
        [System.Boolean]
        $AutoCertBasedAuth = $false,

        [Parameter()]
        [System.String]
        $AutoCertBasedAuthThumbprint,

        [Parameter()]
        [System.String[]]
        $AutoCertBasedAuthHttpsBindings = @('0.0.0.0:443', '127.0.0.1:443'),

        [Parameter()]
        [System.String]
        $ActiveSyncServer,

        [Parameter()]
        [System.Boolean]
        $BadItemReportingEnabled,

        [Parameter()]
        [System.Boolean]
        $BasicAuthEnabled,

        [Parameter()]
        [ValidateSet('Ignore', 'Accepted', 'Required')]
        [System.String]
        $ClientCertAuth,

        [Parameter()]
        [System.Boolean]
        $CompressionEnabled,

        [Parameter()]
        [System.String]
        $DomainController,

        [Parameter()]
        [ValidateSet('None', 'Proxy', 'NoServiceNameCheck', 'AllowDotlessSpn', 'ProxyCohosting')]
        [System.String[]]
        $ExtendedProtectionFlags,

        [Parameter()]
        [System.String[]]
        $ExtendedProtectionSPNList,

        [Parameter()]
        [ValidateSet('None', 'Allow', 'Require')]
        [System.String]
        $ExtendedProtectionTokenChecking,

        [Parameter()]
        [System.String[]]
        $ExternalAuthenticationMethods,

        [Parameter()]
        [System.String]
        $ExternalUrl,

        [Parameter()]
        [System.Boolean]
        $InstallIsapiFilter,

        [Parameter()]
        [System.String[]]
        $InternalAuthenticationMethods,

        [Parameter()]
        [System.String]
        $InternalUrl,

        [Parameter()]
        [System.String]
        $MobileClientCertificateAuthorityURL,

        [Parameter()]
        [System.Boolean]
        $MobileClientCertificateProvisioningEnabled,

        [Parameter()]
        [System.String]
        $MobileClientCertTemplateName,

        [Parameter()]
        [System.String]
        $Name,

        [Parameter()]
        [ValidateSet('Allow', 'Block')]
        [System.String]
        $RemoteDocumentsActionForUnknownServers,

        [Parameter()]
        [System.String[]]
        $RemoteDocumentsAllowedServers,

        [Parameter()]
        [System.String[]]
        $RemoteDocumentsBlockedServers,

        [Parameter()]
        [System.String[]]
        $RemoteDocumentsInternalDomainSuffixList,

        [Parameter()]
        [System.Boolean]
        $SendWatsonReport,

        [Parameter()]
        [System.Boolean]
        $WindowsAuthEnabled
    )

    Remove-FromPSBoundParametersUsingHashtable -PSBoundParametersIn $PSBoundParameters -ParamsToKeep 'Identity', 'DomainController'

    return (Get-ActiveSyncVirtualDirectory @PSBoundParameters)
}

function Enable-CertBasedAuth
{
    param
    (
        [Parameter()]
        [System.String]
        $AutoCertBasedAuthThumbprint,

        [Parameter()]
        [System.String[]]
        $AutoCertBasedAuthHttpsBindings = @('0.0.0.0:443', '127.0.0.1:443')
    )

    $appCmdExe = "$($env:SystemRoot)\System32\inetsrv\appcmd.exe"

    # Enable cert auth in IIS, and require SSL on the AS vdir
    $output = &$appCmdExe set config -section:system.webServer/security/authentication/clientCertificateMappingAuthentication /enabled:'True' /commit:apphost
    Write-Verbose -Message "$output"

    $output = &$appCmdExe set config 'Default Web Site' -section:system.webServer/security/authentication/clientCertificateMappingAuthentication /enabled:'True' /commit:apphost
    Write-Verbose -Message "$output"

    $output = &$appCmdExe set config 'Default Web Site/Microsoft-Server-ActiveSync' /section:access /sslFlags:'Ssl, SslNegotiateCert, SslRequireCert, Ssl128' /commit:apphost
    Write-Verbose -Message "$output"

    $output = &$appCmdExe set config 'Default Web Site/Microsoft-Server-ActiveSync' -section:system.webServer/security/authentication/clientCertificateMappingAuthentication /enabled:'True' /commit:apphost
    Write-Verbose -Message "$output"

    # Set DSMapperUsage to enabled on all the required SSL bindings
    $appId = '{4dc3e181-e14b-4a21-b022-59fc669b0914}' # The appId of all IIS applications

    foreach ($binding in $AutoCertBasedAuthHttpsBindings)
    {
        Enable-DSMapperUsage -IpPortCombo $binding -CertThumbprint $AutoCertBasedAuthThumbprint -AppId $appId
    }
}

function Test-CertBasedAuth
{
    param
    (
        [Parameter()]
        [System.String]
        $AutoCertBasedAuthThumbprint,

        [Parameter()]
        [System.String[]]
        $AutoCertBasedAuthHttpsBindings = @('0.0.0.0:443', '127.0.0.1:443')
    )

    $appCmdExe = "$($env:SystemRoot)\System32\inetsrv\appcmd.exe"

    $serverWideClientCertMappingAuth = &$appCmdExe list config -section:system.webServer/security/authentication/clientCertificateMappingAuthentication

    if (-not (Test-AppCmdOutputContainsString -AppCmdOutput $serverWideClientCertMappingAuth -SearchString "clientCertificateMappingAuthentication enabled=`"true`""))
    {
        return $false
    }

    $clientCertMappingAuth = &$appCmdExe list config 'Default Web Site' -section:system.webServer/security/authentication/clientCertificateMappingAuthentication

    if (-not (Test-AppCmdOutputContainsString -AppCmdOutput $clientCertMappingAuth -SearchString "clientCertificateMappingAuthentication enabled=`"true`""))
    {
        return $false
    }

    $asClientCertMappingAuth = &$appCmdExe list config 'Default Web Site/Microsoft-Server-ActiveSync' -section:system.webServer/security/authentication/clientCertificateMappingAuthentication

    if (-not (Test-AppCmdOutputContainsString -appCmdOutput $asClientCertMappingAuth -searchString "clientCertificateMappingAuthentication enabled=`"true`""))
    {
        return $false
    }

    $sslFlags = &$appCmdExe list config 'Default Web Site/Microsoft-Server-ActiveSync' /section:access

    if (-not (Test-AppCmdOutputContainsString -appCmdOutput $sslFlags -searchString "access sslFlags=`"Ssl, SslNegotiateCert, SslRequireCert, Ssl128`""))
    {
        return $false
    }

    $netshOutput = netsh.exe http show sslcert

    foreach ($binding in $AutoCertBasedAuthHttpsBindings)
    {
        if (-not (Test-NetshSslCertSetting -IpPort $binding -NetshSslCertOutput $netshOutput -SettingName 'DS Mapper Usage' -SettingValue 'Enabled'))
        {
            return $false
        }

        if (-not (Test-NetshSslCertSetting -IpPort $binding -NetshSslCertOutput $netshOutput -SettingName 'Certificate Hash' -SettingValue $AutoCertBasedAuthThumbprint))
        {
            return $false
        }

        if (-not (Test-NetshSslCertSetting -IpPort $binding -NetshSslCertOutput $netshOutput -SettingName 'Certificate Store Name' -SettingValue 'MY'))
        {
            return $false
        }
    }

    return $true
}

function Test-IsSslBinding
{
    param
    (
        [Parameter()]
        $NetshOutput
    )

    if ($null -ne $NetshOutput -and $NetshOutput.GetType().Name -eq 'Object[]')
    {
        for ($i = 0; $i -lt $NetshOutput.Count; $i++)
        {
            if ($NetshOutput[$i].Contains('IP:port'))
            {
                return $true
            }
        }
    }

    return $false
}

function Enable-DSMapperUsage
{
    param
    (
        [Parameter(Mandatory = $true)]
        [System.String]
        $IpPortCombo,

        [Parameter(Mandatory = $true)]
        [System.String]
        $CertThumbprint,

        [Parameter(Mandatory = $true)]
        [System.String]
        $AppId
    )
    # See if a binding already exists, and if so, delete it
    $bindingOutput = netsh.exe http show sslcert ipport=$($IpPortCombo)

    if (Test-IsSslBinding $bindingOutput)
    {
        $output = netsh.exe http delete sslcert ipport=$($IpPortCombo)
        Write-Verbose -Message "$output"
    }

    # Add the binding back with new settings
    $output = netsh.exe http add sslcert ipport=$($IpPortCombo) certhash=$($CertThumbprint) appid=$($AppId) dsmapperusage=enable certstorename=MY
    Write-Verbose -Message "$output"
}

function Test-AppCmdOutputContainsString
{
    param
    (
        [Parameter()]
        $AppCmdOutput,

        [Parameter(Mandatory = $true)]
        [System.String]
        $SearchString
    )

    if ($null -ne $AppCmdOutput -and $AppCmdOutput.GetType().Name -eq 'Object[]')
    {
        foreach ($line in $AppCmdOutput)
        {
            if ($line.ToLower().Contains($SearchString.ToLower()))
            {
                return $true
            }
        }
    }

    return $false
}

function Test-NetshSslCertSetting
{
    param
    (
        [Parameter()]
        $NetshSslCertOutput,

        [Parameter(Mandatory = $true)]
        [System.String]
        $IpPort,

        [Parameter(Mandatory = $true)]
        [System.String]
        $SettingName,

        [Parameter(Mandatory = $true)]
        [System.String]
        $SettingValue
    )

    $SettingName = $SettingName.ToLower()
    $SettingValue = $SettingValue.ToLower()

    if ($null -ne $NetshSslCertOutput -and $NetshSslCertOutput.GetType().Name -eq 'Object[]')
    {
        $foundSetting = $false
        for ($i = 0; $i -lt $NetshSslCertOutput.Count -and -not $foundSetting; $i++)
        {
            if ($NetshSslCertOutput[$i].ToLower().Contains('ip:port') -and $NetshSslCertOutput[$i].Contains($IpPort))
            {
                $i++

                while ( -not $NetshSslCertOutput[$i].ToLower().Contains('ip:port') -and -not $foundSetting )
                {
                    if ($NetshSslCertOutput[$i].ToLower().Contains($SettingName))
                    {
                        $foundSetting = $true

                        if ($NetshSslCertOutput[$i].ToLower().Contains($SettingValue))
                        {
                            return $true
                        }
                    }

                    $i++
                }
            }
        }
    }

    return $false
}

# Ensures that required Certification Based Authentication prereqs are installed
function Test-PreReqsForCertBasedAuth
{
    $hasAllPreReqs = $true

    $webClientAuth = Get-WindowsFeature -Name Web-Client-Auth
    $webCertAuth = Get-WindowsFeature -Name Web-Cert-Auth

    if ($webClientAuth.InstallState -ne 'Installed')
    {
        $hasAllPreReqs = $false

        Write-Error -Message 'The Web-Client-Auth feature needs to be installed before the Auto Certification Based Authentication feature can be used'
    }

    if ($webCertAuth.InstallState -ne 'Installed')
    {
        $hasAllPreReqs = $false

        Write-Error -Message 'The Web-Cert-Auth feature needs to be installed before the Auto Certification Based Authentication feature can be used'
    }

    if ($hasAllPreReqs -eq $false)
    {
        throw 'Required Windows features need to be installed before the Auto Certification Based Authentication feature can be used'
    }
}

function Test-ISAPIFilter
{
    [CmdletBinding()]
    [OutputType([System.Boolean])]
    param
    (
        [Parameter()]
        [System.String]
        $WebSite = 'Default Web Site',

        [Parameter()]
        [System.String]
        $ISAPIFilterName = 'Exchange ActiveSync ISAPI Filter'
    )

    begin
    {
        $ReturnValue = $false

        $ISAPIFilters = Get-WebConfigurationProperty -PSPath 'MACHINE/WEBROOT/APPHOST' `
            -Location $WebSite `
            -Filter 'system.webServer/isapiFilters' `
            -Name '.'
    }
    process
    {
        if ($ISAPIFilters.Collection.Count -gt 0)
        {
            if ($ISAPIFilters.Collection.Name.Contains($ISAPIFilterName))
            {
                Write-Verbose -Message "Filter $($ISAPIFilterName) was found"
                $ReturnValue = $true
            }
        }
    }
    end
    {
        return $ReturnValue
    }
}

Export-ModuleMember -Function *-TargetResource