ADFS 3.0 - Certificate Alert

All replies

• 

  

  1

  Sign in to vote

  There is no such functionality inside ADFS but what you can do is write a program to get the metadata, decode the certificates and send an email if they are about to expire.

  
  

  
  
  

  • Edited by nzpcmad1 Thursday, November 2, 2017 6:07 AM sp
  • Proposed as answer by Pierre Audonnet [MSFT]Microsoft employee Monday, November 13, 2017 7:22 PM
  • Marked as answer by Pierre Audonnet [MSFT]Microsoft employee Thursday, November 16, 2017 11:36 PM
  • Unmarked as answer by rush2ramki Friday, November 17, 2017 6:36 AM

  Thursday, November 2, 2017 6:05 AM
• 

  

  0

  Sign in to vote

  If you use Azure AD Connect Health, you can get warnings and notification. See here: https://docs.microsoft.com/en-us/azure/active-directory/connect-health/active-directory-aadconnect-health

  If you are also an Office 365 customer, you can also have this type of notification in the admin portal: https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-o365-certs

  ---

  Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

  • Proposed as answer by Pierre Audonnet [MSFT]Microsoft employee Monday, November 13, 2017 7:22 PM
  • Marked as answer by Pierre Audonnet [MSFT]Microsoft employee Thursday, November 16, 2017 11:36 PM
  • Unmarked as answer by rush2ramki Friday, November 17, 2017 3:35 AM
  • Unproposed as answer by rush2ramki Friday, November 17, 2017 6:36 AM

  Monday, November 13, 2017 7:21 PM
• 

  

  0

  Sign in to vote

  HI Pierre,

  Thanks for the link which has give a clue to get the information from Get-AdfsCertificate | fl

  ========================================================================

  Output :

  Certificate     : [Subject]
                      CN=*.REC350.com, O=REC LIMITED, L=Chennai, S=TamilNadu, C=IN
  
                    [Issuer]
                      CN=GODADDY IN, O=GODADDY ltd, C=IN
  
                    [Serial Number]
                      0A03120ECCDB77946D9560843RRWWFF5FF03
  
                    [Not Before]
                      16/09/2015 01:00:00
  
                    [Not After]
                      30/11/2018 12:00:00
  
                    [Thumbprint]
                      1DC8EB203F66E932F80B70BD13GGGG7D86BCAC046314
  
  CertificateType : Service-Communications
  IsPrimary       : True
  StoreLocation   : LocalMachine
  StoreName       : My
  Thumbprint      : 1DC8EB203F66E932F80B70BD137D86BCAC046314

  Certificate     : [Subject]
                      CN=ADFS Encryption - sts.rec350..com
  
                    [Issuer]
                      CN=ADFS Encryption - sts.rec350.com
  
                    [Serial Number]
                      393235338C079D8A4793434815F896C9
  
                    [Not Before]
                      05/04/2017 10:16:08
  
                    [Not After]
                      05/04/2018 10:16:08
  
                    [Thumbprint]
                      4A32734BE3AAF5A2Dqe471DD787F319B9522W4
  
  CertificateType : Token-Decrypting
  IsPrimary       : True
  StoreLocation   : CurrentUser
  StoreName       : My
  Thumbprint      : 4A32734BE3AAF5A2D7549471DD787F319B9522E4
  

  =======================================================================================

  But i need the information from the certificate rows only like . from the windows power shell i could not take it these information from certificate ooutput

  [Subject]

  [Issuer]

   [Not After]

  [Thumbprint]

  
  

  
  

  Friday, November 17, 2017 3:44 AM
• 

  

  0

  Sign in to vote

  What about something like this:

  Get-AdfsCertificate | ForEach-Object {
      New-Object -TypeName psobject -Property @{
          Type = $_.CertificateType
          Thumbprint = $_.Thumbprint
          ValidFrom = $_.Certificate.NotBefore
          Expiration = $_.Certificate.NotAfter
      }
  } | Select-Object Type,Thumbprint,ValidFrom,Expiration

  The output will look like this:

  Type                   Thumbprint                               ValidFrom           Expiration         
  ----                   ----------                               ---------           ----------         
  Service-Communications 8494AD111D438CB3DCDA76E50077A3CA67FC85A0 22.06.2017 00:00:00 20.09.2018 12:00:00
  Token-Decrypting       B83C6CBCA26782A5687292F4EB4F5DAFB1E9E314 04.05.2017 19:19:29 04.05.2018 19:19:29
  Token-Signing          19F9BCBDEFDBFA9433015822F7D4A2CEBC4D85F7 04.05.2017 19:19:28 04.05.2018 19:19:28
  Token-Signing          5C82633D6E2CECB0F69F58C56B3B7600A92B3237 13.11.2017 04:12:02 13.11.2018 04:12:02

  
  

  You can customize it...You might also be interested on the event generated when stuff is about to expire:

  Id          : 434
  Description : The primary AD FS certificate authority issuer certificate ( thumbprint %1 ) will expire at %2 UTC.
                The certificate rollover service will roll over to the current secondary ( thumbprint %3 ) at %4 UTC.
                To avoid certificate issuance service interruption, ensure that the current secondary certificate ( thumbprint %3 ) is installed in
                Active Directory before the rollover occurs at %4 UTC.
  Parameters  :

  Id          : 436
  Description : The primary AD FS token decryption certificate ( thumbprint %1 ) will expire at %2 UTC.
                The certificate rollover service will roll over to the current secondary ( thumbprint %3 ) at %4 UTC.
                Identity providers that rely on federation metadata will be notified automatically; any identity providers that send encrypted
                tokens to AD FS and do not rely on federation metadata must be informed of the new certificate before the expiration at %2 UTC.
  Parameters  :

  Id          : 435
  Description : The primary AD FS token signing certificate ( thumbprint %1 ) will expire at %2 UTC.
                The certificate rollover service will roll over to the current secondary ( thumbprint %3 ) at %4 UTC.
                Relying parties that rely on federation metadata will be notified automatically; any relying parties that do not rely on federation
                metadata must be informed of the new certificate before the rollover at %4 UTC.
  Parameters  :

  Id          : 548
  Description : The tenant certificate for Azure MFA will expire soon. 
               
                TenantId: %1.
                Thumbprint: %2.
                Expiration date: %3.
  Parameters  :

  ---

  Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

  • Proposed as answer by Pierre Audonnet [MSFT]Microsoft employee Sunday, November 19, 2017 7:38 PM
  • Marked as answer by rush2ramki Monday, November 20, 2017 11:21 AM

  Friday, November 17, 2017 1:49 PM
• 

  

  0

  Sign in to vote

  HI Pierre ,

  Thanks for the detailed one

  i came across the below command , which is also working fine

  Get-ADFSCertificate|select -ExpandProperty certificate|select notafter

  Thanks again

  • Marked as answer by rush2ramki Monday, November 20, 2017 11:21 AM

  Monday, November 20, 2017 11:21 AM