ADFS token certificate expiration monitoring

RogerSpraggon · Post by **RogerSpraggon** » Mon Jun 05, 2017 7:42 pm

We monitor number of our certificates for expiry purposes and this works fine.
What we are trying to do now is monitor ADFS Token Signing certificates as these auto renew but some of our Relying Party Trusts to not accept auto update and we need to advise them that certificate is about to change.
Is there a way to do this?

KS-Soft Europe · Post by **KS-Soft Europe** » Tue Jun 06, 2017 12:41 pm

You may use "Shell Script" test method with cusom Powershell script:

Code: Select all

$statusUnknown     = "ScriptRes:Unknown:"
$statusOk          = "ScriptRes:Ok:"
$statusBad         = "ScriptRes:Bad:"

if (!$args[0]) {
  echo  $statusUnknown"Cartificate expiration threshold is required."
  exit
}

$CertLimit = $args[0]
$CertExp = (NEW-TIMESPAN â€“Start (Get-Date) â€“End (Get-ADFSCertificate -CertificateType "Token-Signing" | where-object {$_.IsPrimary}).Certificate.NotAfter).Days
  
if ($CertExp -le $CertLimit)  {    echo $statusBad$CertExp } 
else {    echo $statusOk$CertExp }

Start cmd: powershell.exe %script% %params%

Script retrieves ADFS Token Signing active certificate and returns amount of days left to certificate expiration.

RogerSpraggon · Post by **RogerSpraggon** » Tue Jun 06, 2017 4:43 pm

Thank you script is brilliant and works when I run locally from PowerShell on our ADFS server.
Only thing I am struggling with now is how to get the host monitor system to execute this script on our ADFS server

RogerSpraggon · Post by **RogerSpraggon** » Tue Jun 06, 2017 5:13 pm

Its ok, I set up RMA on ADFS server and it works fine.
Thank you very much for a very prompt and fully working solution.

KS-Soft Europe · Post by **KS-Soft Europe** » Wed Jun 07, 2017 2:00 am

You are welcome !