locked
ADFS 3.0 - Certificate Alert RRS feed

  • Question

  • Hello Team,

    Greetings!

    How can i get the email alert about the ADFS 3.0 Certificates . is there any script / command to get all the certificates to notify in advance before expiry.

    Thannks

    Thursday, November 2, 2017 4:21 AM

Answers

  • What about something like this:

    Get-AdfsCertificate | ForEach-Object {
        New-Object -TypeName psobject -Property @{
            Type = $_.CertificateType
            Thumbprint = $_.Thumbprint
            ValidFrom = $_.Certificate.NotBefore
            Expiration = $_.Certificate.NotAfter
        }
    } | Select-Object Type,Thumbprint,ValidFrom,Expiration

    The output will look like this:

    Type                   Thumbprint                               ValidFrom           Expiration         
    ----                   ----------                               ---------           ----------         
    Service-Communications 8494AD111D438CB3DCDA76E50077A3CA67FC85A0 22.06.2017 00:00:00 20.09.2018 12:00:00
    Token-Decrypting       B83C6CBCA26782A5687292F4EB4F5DAFB1E9E314 04.05.2017 19:19:29 04.05.2018 19:19:29
    Token-Signing          19F9BCBDEFDBFA9433015822F7D4A2CEBC4D85F7 04.05.2017 19:19:28 04.05.2018 19:19:28
    Token-Signing          5C82633D6E2CECB0F69F58C56B3B7600A92B3237 13.11.2017 04:12:02 13.11.2018 04:12:02

    You can customize it...You might also be interested on the event generated when stuff is about to expire:

    Id          : 434
    Description : The primary AD FS certificate authority issuer certificate ( thumbprint %1 ) will expire at %2 UTC.
                  The certificate rollover service will roll over to the current secondary ( thumbprint %3 ) at %4 UTC.
                  To avoid certificate issuance service interruption, ensure that the current secondary certificate ( thumbprint %3 ) is installed in
                  Active Directory before the rollover occurs at %4 UTC.
    Parameters  :

    Id          : 436
    Description : The primary AD FS token decryption certificate ( thumbprint %1 ) will expire at %2 UTC.
                  The certificate rollover service will roll over to the current secondary ( thumbprint %3 ) at %4 UTC.
                  Identity providers that rely on federation metadata will be notified automatically; any identity providers that send encrypted
                  tokens to AD FS and do not rely on federation metadata must be informed of the new certificate before the expiration at %2 UTC.
    Parameters  :

    Id          : 435
    Description : The primary AD FS token signing certificate ( thumbprint %1 ) will expire at %2 UTC.
                  The certificate rollover service will roll over to the current secondary ( thumbprint %3 ) at %4 UTC.
                  Relying parties that rely on federation metadata will be notified automatically; any relying parties that do not rely on federation
                  metadata must be informed of the new certificate before the rollover at %4 UTC.
    Parameters  :

    Id          : 548
    Description : The tenant certificate for Azure MFA will expire soon. 
                 
                  TenantId: %1.
                  Thumbprint: %2.
                  Expiration date: %3.
    Parameters  :


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, November 17, 2017 1:49 PM
  • HI Pierre ,

    Thanks for the detailed one

    i came across the below command , which is also working fine

    Get-ADFSCertificate|select -ExpandProperty certificate|select notafter

    Thanks again

    • Marked as answer by rush2ramki Monday, November 20, 2017 11:21 AM
    Monday, November 20, 2017 11:21 AM

All replies

  • There is no such functionality inside ADFS but what you can do is write a program to get the metadata, decode the certificates and send an email if they are about to expire.




    Thursday, November 2, 2017 6:05 AM
  • If you use Azure AD Connect Health, you can get warnings and notification. See here: https://docs.microsoft.com/en-us/azure/active-directory/connect-health/active-directory-aadconnect-health

    If you are also an Office 365 customer, you can also have this type of notification in the admin portal: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-o365-certs


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, November 13, 2017 7:21 PM
  • HI Pierre,

    Thanks for the link which has give a clue to get the information from Get-AdfsCertificate | fl

    ========================================================================

    Output :

    Certificate     : [Subject]
                        CN=*.REC350.com, O=REC LIMITED, L=Chennai, S=TamilNadu, C=IN

                      [Issuer]
                        CN=GODADDY IN, O=GODADDY ltd, C=IN

                      [Serial Number]
                        0A03120ECCDB77946D9560843RRWWFF5FF03

                      [Not Before]
                        16/09/2015 01:00:00

                      [Not After]
                        30/11/2018 12:00:00

                      [Thumbprint]
                        1DC8EB203F66E932F80B70BD13GGGG7D86BCAC046314

    CertificateType : Service-Communications
    IsPrimary       : True
    StoreLocation   : LocalMachine
    StoreName       : My
    Thumbprint      : 1DC8EB203F66E932F80B70BD137D86BCAC046314

    Certificate     : [Subject]
                        CN=ADFS Encryption - sts.rec350..com

                      [Issuer]
                        CN=ADFS Encryption - sts.rec350.com

                      [Serial Number]
                        393235338C079D8A4793434815F896C9

                      [Not Before]
                        05/04/2017 10:16:08

                      [Not After]
                        05/04/2018 10:16:08

                      [Thumbprint]
                        4A32734BE3AAF5A2Dqe471DD787F319B9522W4

    CertificateType : Token-Decrypting
    IsPrimary       : True
    StoreLocation   : CurrentUser
    StoreName       : My
    Thumbprint      : 4A32734BE3AAF5A2D7549471DD787F319B9522E4

    =======================================================================================

    But i need the information from the certificate rows only like . from the windows power shell i could not take it these information from certificate ooutput

    [Subject]

    [Issuer]

     [Not After]

    [Thumbprint]



    Friday, November 17, 2017 3:44 AM
  • What about something like this:

    Get-AdfsCertificate | ForEach-Object {
        New-Object -TypeName psobject -Property @{
            Type = $_.CertificateType
            Thumbprint = $_.Thumbprint
            ValidFrom = $_.Certificate.NotBefore
            Expiration = $_.Certificate.NotAfter
        }
    } | Select-Object Type,Thumbprint,ValidFrom,Expiration

    The output will look like this:

    Type                   Thumbprint                               ValidFrom           Expiration         
    ----                   ----------                               ---------           ----------         
    Service-Communications 8494AD111D438CB3DCDA76E50077A3CA67FC85A0 22.06.2017 00:00:00 20.09.2018 12:00:00
    Token-Decrypting       B83C6CBCA26782A5687292F4EB4F5DAFB1E9E314 04.05.2017 19:19:29 04.05.2018 19:19:29
    Token-Signing          19F9BCBDEFDBFA9433015822F7D4A2CEBC4D85F7 04.05.2017 19:19:28 04.05.2018 19:19:28
    Token-Signing          5C82633D6E2CECB0F69F58C56B3B7600A92B3237 13.11.2017 04:12:02 13.11.2018 04:12:02

    You can customize it...You might also be interested on the event generated when stuff is about to expire:

    Id          : 434
    Description : The primary AD FS certificate authority issuer certificate ( thumbprint %1 ) will expire at %2 UTC.
                  The certificate rollover service will roll over to the current secondary ( thumbprint %3 ) at %4 UTC.
                  To avoid certificate issuance service interruption, ensure that the current secondary certificate ( thumbprint %3 ) is installed in
                  Active Directory before the rollover occurs at %4 UTC.
    Parameters  :

    Id          : 436
    Description : The primary AD FS token decryption certificate ( thumbprint %1 ) will expire at %2 UTC.
                  The certificate rollover service will roll over to the current secondary ( thumbprint %3 ) at %4 UTC.
                  Identity providers that rely on federation metadata will be notified automatically; any identity providers that send encrypted
                  tokens to AD FS and do not rely on federation metadata must be informed of the new certificate before the expiration at %2 UTC.
    Parameters  :

    Id          : 435
    Description : The primary AD FS token signing certificate ( thumbprint %1 ) will expire at %2 UTC.
                  The certificate rollover service will roll over to the current secondary ( thumbprint %3 ) at %4 UTC.
                  Relying parties that rely on federation metadata will be notified automatically; any relying parties that do not rely on federation
                  metadata must be informed of the new certificate before the rollover at %4 UTC.
    Parameters  :

    Id          : 548
    Description : The tenant certificate for Azure MFA will expire soon. 
                 
                  TenantId: %1.
                  Thumbprint: %2.
                  Expiration date: %3.
    Parameters  :


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Friday, November 17, 2017 1:49 PM
  • HI Pierre ,

    Thanks for the detailed one

    i came across the below command , which is also working fine

    Get-ADFSCertificate|select -ExpandProperty certificate|select notafter

    Thanks again

    • Marked as answer by rush2ramki Monday, November 20, 2017 11:21 AM
    Monday, November 20, 2017 11:21 AM