A failure occurred during an attempt to check for the revocation status of the SSL certificate that is configured on the federation passive Web site.
The federation server proxy is unable to communicate with a certificate revocation list (CRL) server.
Verify the following:
The federation server proxies have access to the Internet.
The traffic between the federation server proxies and the CRL server is not blocked by a firewall or extranet access policy.
Target | Microsoft.ActiveDirectoryFederationServices20.FederationServerProxyWebsites | ||
Parent Monitor | System.Health.ConfigurationState | ||
Category | AvailabilityHealth | ||
Enabled | True | ||
Alert Generate | True | ||
Alert Severity | Warning | ||
Alert Priority | Normal | ||
Alert Auto Resolve | True | ||
Monitor Type | Microsoft.ActiveDirectoryFederationServices20.TwoStateScriptMonitorType | ||
Remotable | True | ||
Accessibility | Public | ||
Alert Message |
| ||
RunAs | Default |
<UnitMonitor ID="Microsoft.ActiveDirectoryFederationServices20.FederationServerProxyWebsitesSSLCertRevocationCheckFailureMonitor" Accessibility="Public" Enabled="true" Target="Microsoft.ActiveDirectoryFederationServices20.FederationServerProxyWebsites" ParentMonitorID="Health!System.Health.ConfigurationState" Remotable="true" Priority="Normal" TypeID="Microsoft.ActiveDirectoryFederationServices20.TwoStateScriptMonitorType" ConfirmDelivery="false">
<Category>AvailabilityHealth</Category>
<AlertSettings AlertMessage="Microsoft.ActiveDirectoryFederationServices20.FederationServerProxyWebsitesSSLCertRevocationCheckFailureMonitor_AlertMessageResourceID">
<AlertOnState>Warning</AlertOnState>
<AutoResolve>true</AutoResolve>
<AlertPriority>Normal</AlertPriority>
<AlertSeverity>Warning</AlertSeverity>
</AlertSettings>
<OperationalStates>
<OperationalState ID="Success" MonitorTypeStateID="Success" HealthState="Success"/>
<OperationalState ID="Error" MonitorTypeStateID="Error" HealthState="Warning"/>
</OperationalStates>
<Configuration>
<PowerShellPath>%windir%\system32\windowspowershell\v1.0\powershell.exe</PowerShellPath>
<ScriptName>FederationServerProxyWebsitesSSLCertRevocationCheckFailureCheck.ps1</ScriptName>
<ScriptBody>
function ByteArrayMatch ($array1, $array2)
{
if ( ($array1 -eq $null) -or ($array2 -eq $null) )
{
return $false
}
if ( $array1.Length -ne $array2.Length )
{
return $false
}
for ($i = 0; $i -lt $array1.Length; $i++)
{
if ( $array1[$i] -ne $array2[$i] )
{
return $false
}
}
return $true;
}
function GetADFSSSLCertificate()
{
$cert = $null;
$hash = ( Get-WmiObject -namespace "root/MicrosoftIISV2" -Class "IISWebServer" | Where-Object {$_.Name -eq "W3SVC/1"} | Select-object SSLCertHash )
if ($hash -ne $null)
{
$certStoreName = Get-WmiObject -namespace root/MicrosoftIISV2 -Class IISWebServerSetting | Where-Object {$_.Name -eq "W3SVC/1"} | Select-Object SSLStoreName
$certStore = New-Object System.Security.Cryptography.X509Certificates.X509Store($certStoreName.SSLStoreName , [System.Security.Cryptography.X509Certificates.StoreLocation]::LocalMachine)
$certStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadOnly)
for ( $i = 0; $i -lt $certStore.Certificates.Count; $i++)
{
$cert = $certStore.Certificates[$i]
if ($cert -ne $null)
{
$certHash = $cert.GetCertHash()
if ( ByteArrayMatch $hash.SSLCertHash $certHash )
{
break;
}
}
$cert = $null
}
}
return $cert
}
[System.Reflection.Assembly]::LoadWithPartialName("System.Security")
$scomapi = new-object -comObject "MOM.ScriptAPI"
$scomapi.LogScriptEvent("ActiveDirectoryFederationServices", 800, 4, "SSL certificate revocation check failure PowerShell monitoring script")
$script:certOK = $true
&{
$sslCertificate = GetADFSSSLCertificate
if ($sslCertificate -ne $null)
{
$certChain = new-object System.Security.Cryptography.X509Certificates.X509Chain
$certChain.ChainPolicy.RevocationMode = [System.Security.Cryptography.X509Certificates.X509RevocationMode]::Online
$certChain.Build($sslCertificate)
foreach ( $chainStatus in $certChain.ChainStatus )
{
if ( ( $chainStatus.Status -ne [System.Security.Cryptography.X509Certificates.X509ChainStatusFlags]::NoError ) -and ( $chainStatus.Status -ne [System.Security.Cryptography.X509Certificates.X509ChainStatusFlags]::Revoked ))
{
$script:certOK = $false
$script:exceptionMessage = $chainStatus.StatusInformation
break
}
}
}
}
trap [System.Exception]
{
$script:certOK = $false
$script:exceptionMessage = $_.Exception.Message
continue
}
$scompb = $scomapi.CreatePropertyBag()
$scompb.AddValue("CertOK", $script:certOK )
$scompb.AddValue("ErrorMessage", $script:exceptionMessage )
$scomapi.AddItem($scompb)
$scomapi.ReturnItems() </ScriptBody>
<IntervalSeconds>86400</IntervalSeconds>
<TimeoutSeconds>300</TimeoutSeconds>
<ErrorExpression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">Property[@Name='CertOK']</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">false</Value>
</ValueExpression>
</SimpleExpression>
</ErrorExpression>
<SuccessExpression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">Property[@Name='CertOK']</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">true</Value>
</ValueExpression>
</SimpleExpression>
</SuccessExpression>
</Configuration>
</UnitMonitor>