Home
  •  

SSL Certificate Warning On The Federation Server

Microsoft.ActiveDirectoryFederationServices20.FederationServerWebsitesSSLCertGoingToExpireMonitor (UnitMonitor)

Knowledge Base article:

Summary

The SSL certificate that is configured for the federation passive Web site on the federation server will expire in 20 days.

Causes

The SSL certificate will expire in 20 days.

Resolutions

Obtain a new certificate and import it using the IIS Manager snap-in for the federation passive Web site.

Element properties:

TargetMicrosoft.ActiveDirectoryFederationServices20.Websites
Parent MonitorSystem.Health.ConfigurationState
CategoryAvailabilityHealth
EnabledTrue
Alert GenerateTrue
Alert SeverityWarning
Alert PriorityNormal
Alert Auto ResolveTrue
Monitor TypeMicrosoft.ActiveDirectoryFederationServices20.TwoStateScriptMonitorType
RemotableTrue
AccessibilityPublic
Alert Message
SSL Certificate Warning On the Federation Server
The SSL certificate that is configured for the federation passive Web site will expire in 20 days.
RunAsDefault

Source Code:

<UnitMonitor ID="Microsoft.ActiveDirectoryFederationServices20.FederationServerWebsitesSSLCertGoingToExpireMonitor" Accessibility="Public" Enabled="true" Target="Microsoft.ActiveDirectoryFederationServices20.Websites" ParentMonitorID="Health!System.Health.ConfigurationState" Remotable="true" Priority="Normal" TypeID="Microsoft.ActiveDirectoryFederationServices20.TwoStateScriptMonitorType" ConfirmDelivery="false">

  <Category>AvailabilityHealth</Category>

  <AlertSettings AlertMessage="Microsoft.ActiveDirectoryFederationServices20.FederationServerWebsitesSSLCertGoingToExpireMonitor_AlertMessageResourceID">

    <AlertOnState>Warning</AlertOnState>

    <AutoResolve>true</AutoResolve>

    <AlertPriority>Normal</AlertPriority>

    <AlertSeverity>Warning</AlertSeverity>

  </AlertSettings>

  <OperationalStates>

    <OperationalState ID="Success" MonitorTypeStateID="Success" HealthState="Success"/>

    <OperationalState ID="Error" MonitorTypeStateID="Error" HealthState="Warning"/>

  </OperationalStates>

  <Configuration>

    <PowerShellPath>%windir%\system32\windowspowershell\v1.0\powershell.exe</PowerShellPath>

    <ScriptName>FederationServerWebsitesSSLCertFutureExpiryCheck.ps1</ScriptName>

    <ScriptBody><Script>

            function ByteArrayMatch ($array1, $array2)

{

    if ( ($array1 -eq $null) -or ($array2 -eq $null) )

    {

        return $false

    }

    

    if ( $array1.Length -ne $array2.Length )

    {

        return $false

    }

    

    for ($i = 0; $i -lt $array1.Length; $i++)

    {

        if ( $array1[$i] -ne $array2[$i] )

        {

            return $false

        }

    }

    

    return $true;

}



function GetADFSSSLCertificate()

{

    $cert = $null;

    $hash = ( Get-WmiObject -namespace "root/MicrosoftIISV2" -Class "IISWebServer" |  Where-Object {$_.Name -eq "W3SVC/1"} | Select-object SSLCertHash )

    if ($hash -ne $null)

    {

        $certStoreName = Get-WmiObject -namespace root/MicrosoftIISV2 -Class IISWebServerSetting | Where-Object {$_.Name -eq "W3SVC/1"} | Select-Object SSLStoreName

        $certStore = New-Object System.Security.Cryptography.X509Certificates.X509Store($certStoreName.SSLStoreName , [System.Security.Cryptography.X509Certificates.StoreLocation]::LocalMachine)

        $certStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadOnly)

        

        for ( $i = 0; $i -lt $certStore.Certificates.Count; $i++)

        {

            $cert = $certStore.Certificates[$i]

            if ($cert -ne $null)

            {

                $certHash = $cert.GetCertHash()

                if ( ByteArrayMatch $hash.SSLCertHash $certHash  )

                {                

                    break;

                }

            }

            $cert = $null

        }

    }    

    return $cert

}



[System.Reflection.Assembly]::LoadWithPartialName("System.Security")



$scomapi = new-object -comObject "MOM.ScriptAPI"

$scomapi.LogScriptEvent("ActiveDirectoryFederationServices", 700, 4, "SSL certificate future expiry check PowerShell monitoring script")



$script:certOK = $true



&amp;{

    $sslCertificate = GetADFSSSLCertificate

    if ($sslCertificate -ne $null)

    {

        if ( $sslCertificate.NotAfter.Subtract([System.DateTime]::Now).Days -lt 20 )

        {

            $script:certOK = $false

        }

    }

}

trap [System.Exception]   

{ 

    $script:exceptionMessage = $_.Exception.Message

    $scomapi.LogScriptEvent("ActiveDirectoryFederationServices", 701, 2, "SSL certificate future expiry check PowerShell monitoring  failed with an error. " + $_.Exception.Message)

    continue

}





$scompb = $scomapi.CreatePropertyBag()

$scompb.AddValue("CertOK",  $script:certOK )

$scompb.AddValue("ErrorMessage",  $script:exceptionMessage )

$scomapi.AddItem($scompb) 

$scomapi.ReturnItems() </Script></ScriptBody>

    <IntervalSeconds>86400</IntervalSeconds>

    <TimeoutSeconds>300</TimeoutSeconds>

    <ErrorExpression>

      <SimpleExpression>

        <ValueExpression>

          <XPathQuery Type="String">Property[@Name='CertOK']</XPathQuery>

        </ValueExpression>

        <Operator>Equal</Operator>

        <ValueExpression>

          <Value Type="String">false</Value>

        </ValueExpression>

      </SimpleExpression>

    </ErrorExpression>

    <SuccessExpression>

      <SimpleExpression>

        <ValueExpression>

          <XPathQuery Type="String">Property[@Name='CertOK']</XPathQuery>

        </ValueExpression>

        <Operator>Equal</Operator>

        <ValueExpression>

          <Value Type="String">true</Value>

        </ValueExpression>

      </SimpleExpression>

    </SuccessExpression>

  </Configuration>

</UnitMonitor>