Si è verificato un errore durante un tentativo di verificare lo stato della revoca del certificato SSL configurato nel sito Web passivo federativo.
Il proxy server federativo non è in grado di comunicare con un server dell'elenco di revoche di certificati (CRL).
Verificare quanto riportato di seguito.
Che i proxy server federativi dispongano di accesso a Internet.
Che il traffico tra i proxy server federativi e il server CRL non sia bloccato da un firewall o da criteri di accesso all'extranet.
Target | Microsoft.ActiveDirectoryFederationServices20.FederationServerProxyWebsites | ||
Parent Monitor | System.Health.ConfigurationState | ||
Category | AvailabilityHealth | ||
Enabled | True | ||
Alert Generate | True | ||
Alert Severity | Warning | ||
Alert Priority | Normal | ||
Alert Auto Resolve | True | ||
Monitor Type | Microsoft.ActiveDirectoryFederationServices20.TwoStateScriptMonitorType | ||
Remotable | True | ||
Accessibility | Public | ||
Alert Message |
| ||
RunAs | Default |
<UnitMonitor ID="Microsoft.ActiveDirectoryFederationServices20.FederationServerProxyWebsitesSSLCertRevocationCheckFailureMonitor" Accessibility="Public" Enabled="true" Target="Microsoft.ActiveDirectoryFederationServices20.FederationServerProxyWebsites" ParentMonitorID="Health!System.Health.ConfigurationState" Remotable="true" Priority="Normal" TypeID="Microsoft.ActiveDirectoryFederationServices20.TwoStateScriptMonitorType" ConfirmDelivery="false">
<Category>AvailabilityHealth</Category>
<AlertSettings AlertMessage="Microsoft.ActiveDirectoryFederationServices20.FederationServerProxyWebsitesSSLCertRevocationCheckFailureMonitor_AlertMessageResourceID">
<AlertOnState>Warning</AlertOnState>
<AutoResolve>true</AutoResolve>
<AlertPriority>Normal</AlertPriority>
<AlertSeverity>Warning</AlertSeverity>
</AlertSettings>
<OperationalStates>
<OperationalState ID="Success" MonitorTypeStateID="Success" HealthState="Success"/>
<OperationalState ID="Error" MonitorTypeStateID="Error" HealthState="Warning"/>
</OperationalStates>
<Configuration>
<PowerShellPath>%windir%\system32\windowspowershell\v1.0\powershell.exe</PowerShellPath>
<ScriptName>FederationServerProxyWebsitesSSLCertRevocationCheckFailureCheck.ps1</ScriptName>
<ScriptBody>
function ByteArrayMatch ($array1, $array2)
{
if ( ($array1 -eq $null) -or ($array2 -eq $null) )
{
return $false
}
if ( $array1.Length -ne $array2.Length )
{
return $false
}
for ($i = 0; $i -lt $array1.Length; $i++)
{
if ( $array1[$i] -ne $array2[$i] )
{
return $false
}
}
return $true;
}
function GetADFSSSLCertificate()
{
$cert = $null;
$hash = ( Get-WmiObject -namespace "root/MicrosoftIISV2" -Class "IISWebServer" | Where-Object {$_.Name -eq "W3SVC/1"} | Select-object SSLCertHash )
if ($hash -ne $null)
{
$certStoreName = Get-WmiObject -namespace root/MicrosoftIISV2 -Class IISWebServerSetting | Where-Object {$_.Name -eq "W3SVC/1"} | Select-Object SSLStoreName
$certStore = New-Object System.Security.Cryptography.X509Certificates.X509Store($certStoreName.SSLStoreName , [System.Security.Cryptography.X509Certificates.StoreLocation]::LocalMachine)
$certStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadOnly)
for ( $i = 0; $i -lt $certStore.Certificates.Count; $i++)
{
$cert = $certStore.Certificates[$i]
if ($cert -ne $null)
{
$certHash = $cert.GetCertHash()
if ( ByteArrayMatch $hash.SSLCertHash $certHash )
{
break;
}
}
$cert = $null
}
}
return $cert
}
[System.Reflection.Assembly]::LoadWithPartialName("System.Security")
$scomapi = new-object -comObject "MOM.ScriptAPI"
$scomapi.LogScriptEvent("ActiveDirectoryFederationServices", 800, 4, "SSL certificate revocation check failure PowerShell monitoring script")
$script:certOK = $true
&{
$sslCertificate = GetADFSSSLCertificate
if ($sslCertificate -ne $null)
{
$certChain = new-object System.Security.Cryptography.X509Certificates.X509Chain
$certChain.ChainPolicy.RevocationMode = [System.Security.Cryptography.X509Certificates.X509RevocationMode]::Online
$certChain.Build($sslCertificate)
foreach ( $chainStatus in $certChain.ChainStatus )
{
if ( ( $chainStatus.Status -ne [System.Security.Cryptography.X509Certificates.X509ChainStatusFlags]::NoError ) -and ( $chainStatus.Status -ne [System.Security.Cryptography.X509Certificates.X509ChainStatusFlags]::Revoked ))
{
$script:certOK = $false
$script:exceptionMessage = $chainStatus.StatusInformation
break
}
}
}
}
trap [System.Exception]
{
$script:certOK = $false
$script:exceptionMessage = $_.Exception.Message
continue
}
$scompb = $scomapi.CreatePropertyBag()
$scompb.AddValue("CertOK", $script:certOK )
$scompb.AddValue("ErrorMessage", $script:exceptionMessage )
$scomapi.AddItem($scompb)
$scomapi.ReturnItems() </ScriptBody>
<IntervalSeconds>86400</IntervalSeconds>
<TimeoutSeconds>300</TimeoutSeconds>
<ErrorExpression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">Property[@Name='CertOK']</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">false</Value>
</ValueExpression>
</SimpleExpression>
</ErrorExpression>
<SuccessExpression>
<SimpleExpression>
<ValueExpression>
<XPathQuery Type="String">Property[@Name='CertOK']</XPathQuery>
</ValueExpression>
<Operator>Equal</Operator>
<ValueExpression>
<Value Type="String">true</Value>
</ValueExpression>
</SimpleExpression>
</SuccessExpression>
</Configuration>
</UnitMonitor>