Home
  •  

联合服务器上的 SSL 证书警告

Microsoft.ActiveDirectoryFederationServices20.FederationServerWebsitesSSLCertGoingToExpireMonitor (UnitMonitor)

Knowledge Base article:

摘要

在联合服务器上为联合身份验证被动网站配置的 SSL 证书将在 20 天后过期。

原因

SSL 证书将在 20 天后过期。

解决方法

获取新证书,并使用联合身份验证被动网站的 IIS 管理器管理单元导入该证书。

Element properties:

TargetMicrosoft.ActiveDirectoryFederationServices20.Websites
Parent MonitorSystem.Health.ConfigurationState
CategoryAvailabilityHealth
EnabledTrue
Alert GenerateTrue
Alert SeverityWarning
Alert PriorityNormal
Alert Auto ResolveTrue
Monitor TypeMicrosoft.ActiveDirectoryFederationServices20.TwoStateScriptMonitorType
RemotableTrue
AccessibilityPublic
Alert Message
联合服务器上的 SSL 证书警告
为联合身份验证被动网站配置的 SSL 证书将在 20 天后过期。
RunAsDefault

Source Code:

<UnitMonitor ID="Microsoft.ActiveDirectoryFederationServices20.FederationServerWebsitesSSLCertGoingToExpireMonitor" Accessibility="Public" Enabled="true" Target="Microsoft.ActiveDirectoryFederationServices20.Websites" ParentMonitorID="Health!System.Health.ConfigurationState" Remotable="true" Priority="Normal" TypeID="Microsoft.ActiveDirectoryFederationServices20.TwoStateScriptMonitorType" ConfirmDelivery="false">

  <Category>AvailabilityHealth</Category>

  <AlertSettings AlertMessage="Microsoft.ActiveDirectoryFederationServices20.FederationServerWebsitesSSLCertGoingToExpireMonitor_AlertMessageResourceID">

    <AlertOnState>Warning</AlertOnState>

    <AutoResolve>true</AutoResolve>

    <AlertPriority>Normal</AlertPriority>

    <AlertSeverity>Warning</AlertSeverity>

  </AlertSettings>

  <OperationalStates>

    <OperationalState ID="Success" MonitorTypeStateID="Success" HealthState="Success"/>

    <OperationalState ID="Error" MonitorTypeStateID="Error" HealthState="Warning"/>

  </OperationalStates>

  <Configuration>

    <PowerShellPath>%windir%\system32\windowspowershell\v1.0\powershell.exe</PowerShellPath>

    <ScriptName>FederationServerWebsitesSSLCertFutureExpiryCheck.ps1</ScriptName>

    <ScriptBody><Script>

            function ByteArrayMatch ($array1, $array2)

{

    if ( ($array1 -eq $null) -or ($array2 -eq $null) )

    {

        return $false

    }

    

    if ( $array1.Length -ne $array2.Length )

    {

        return $false

    }

    

    for ($i = 0; $i -lt $array1.Length; $i++)

    {

        if ( $array1[$i] -ne $array2[$i] )

        {

            return $false

        }

    }

    

    return $true;

}



function GetADFSSSLCertificate()

{

    $cert = $null;

    $hash = ( Get-WmiObject -namespace "root/MicrosoftIISV2" -Class "IISWebServer" |  Where-Object {$_.Name -eq "W3SVC/1"} | Select-object SSLCertHash )

    if ($hash -ne $null)

    {

        $certStoreName = Get-WmiObject -namespace root/MicrosoftIISV2 -Class IISWebServerSetting | Where-Object {$_.Name -eq "W3SVC/1"} | Select-Object SSLStoreName

        $certStore = New-Object System.Security.Cryptography.X509Certificates.X509Store($certStoreName.SSLStoreName , [System.Security.Cryptography.X509Certificates.StoreLocation]::LocalMachine)

        $certStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadOnly)

        

        for ( $i = 0; $i -lt $certStore.Certificates.Count; $i++)

        {

            $cert = $certStore.Certificates[$i]

            if ($cert -ne $null)

            {

                $certHash = $cert.GetCertHash()

                if ( ByteArrayMatch $hash.SSLCertHash $certHash  )

                {                

                    break;

                }

            }

            $cert = $null

        }

    }    

    return $cert

}



[System.Reflection.Assembly]::LoadWithPartialName("System.Security")



$scomapi = new-object -comObject "MOM.ScriptAPI"

$scomapi.LogScriptEvent("ActiveDirectoryFederationServices", 700, 4, "SSL certificate future expiry check PowerShell monitoring script")



$script:certOK = $true



&amp;{

    $sslCertificate = GetADFSSSLCertificate

    if ($sslCertificate -ne $null)

    {

        if ( $sslCertificate.NotAfter.Subtract([System.DateTime]::Now).Days -lt 20 )

        {

            $script:certOK = $false

        }

    }

}

trap [System.Exception]   

{ 

    $script:exceptionMessage = $_.Exception.Message

    $scomapi.LogScriptEvent("ActiveDirectoryFederationServices", 701, 2, "SSL certificate future expiry check PowerShell monitoring  failed with an error. " + $_.Exception.Message)

    continue

}





$scompb = $scomapi.CreatePropertyBag()

$scompb.AddValue("CertOK",  $script:certOK )

$scompb.AddValue("ErrorMessage",  $script:exceptionMessage )

$scomapi.AddItem($scompb) 

$scomapi.ReturnItems() </Script></ScriptBody>

    <IntervalSeconds>86400</IntervalSeconds>

    <TimeoutSeconds>300</TimeoutSeconds>

    <ErrorExpression>

      <SimpleExpression>

        <ValueExpression>

          <XPathQuery Type="String">Property[@Name='CertOK']</XPathQuery>

        </ValueExpression>

        <Operator>Equal</Operator>

        <ValueExpression>

          <Value Type="String">false</Value>

        </ValueExpression>

      </SimpleExpression>

    </ErrorExpression>

    <SuccessExpression>

      <SimpleExpression>

        <ValueExpression>

          <XPathQuery Type="String">Property[@Name='CertOK']</XPathQuery>

        </ValueExpression>

        <Operator>Equal</Operator>

        <ValueExpression>

          <Value Type="String">true</Value>

        </ValueExpression>

      </SimpleExpression>

    </SuccessExpression>

  </Configuration>

</UnitMonitor>