Monday, November 20, 2017

ADFS : ADFS Help

This tool has been extended with more scripts and tooling.



For the log tools:

"AdfsEventsModule Overview

This module provides tools for gathering related ADFS events from the security, admin, and debug logs, across multiple servers. This tool also allows the user to reconstruct the HTTP request/response headers from the logs.

Cmdlets in AdfsEventsModule

This module exposes two cmdlets:

Get-ADFSEvents

and

Write-ADFSEventsSummary

The detailed parameters for each are provided below.

The Get-ADFSEvents cmdlet is used to aggregate events by correlation ID, while the Write-ADFSEventsSummary cmdlet is used to generate a PowerShell Table of only the most relevant logging information from the events that are piped in."

For the Diagnostics,  this downloads a PowerShell module that you need to import:

import-module -name .\ADFSDiagnostics.psm1 -verbose
VERBOSE: Loading module from path 'C:\junk\ADFSDiagnostics.psm1'.
VERBOSE: Importing function 'Get-AdfsServerConfiguration'.
VERBOSE: Importing function 'Get-AdfsServerTrace'.
VERBOSE: Importing function 'Get-AdfsSystemInformation'.
VERBOSE: Importing function 'Get-AdfsVersionEx'.
VERBOSE: Importing function 'Receive-AdfsServerTrace'.
VERBOSE: Importing function 'Set-ADFSDiagTestMode'.
VERBOSE: Importing function 'Start-AdfsServerTrace'.
VERBOSE: Importing function 'Test-AdfsServerHealth'.
VERBOSE: Importing function 'Test-AdfsServerHealthSingleCheck'.
VERBOSE: Importing function 'Test-AdfsServerToken'.


Some examples:

Get-AdfsSystemInformation

OSVersion                 : 10.0.14393.0
OSName                    : Microsoft Windows Server 2016 Datacenter
MachineDomain             : dev.local
IPAddress                 : 100.75.64.15
TimeZone                  : Coordinated Universal Time
LastRebootTime            : 10/24/2017 6:49:22 PM
MachineType               : Virtual Machine
NumberOfLogicalProcessors : 1
MaxClockSpeed             : 2394
PhsicalMemory             : 1792
Hosts                     : {}
Hotfixes                  : {KB4023834, KB3199986, KB4013418, KB4035631...}
AdfsWmiProperties         : {ConfigurationDatabaseConnectionString, ConfigurationServiceAddress,
                            ConfigurationChannelMaxMessageSizeInBytes}
SslBindings               : {System.Collections.Hashtable, System.Collections.Hashtable, System.Collections.Hashtable,
                            System.Collections.Hashtable...}
AdfssrvServiceAccount     : DEV\xxx
AdfsVersion               : 3.0
Role                      : STS
Top10ProcessesByMemory    : {@{Name=Microsoft.Sirona.OMS.Security.BaselineAssessment; MemoryInMB=80.625;
                            MemoryPercentOfTotal=4.49916294642857},
                            @{Name=Microsoft.Identity.AadConnect.Health.AadSync.Host; MemoryInMB=76.25390625;
                            MemoryPercentOfTotal=4.25524030412946}, @{Name=miiserver; MemoryInMB=57.1640625;
                            MemoryPercentOfTotal=3.18995884486607}, @{Name=MsMpEng; MemoryInMB=47.8046875;
                            MemoryPercentOfTotal=2.66767229352679}...}
AdHealthAgentInformation  : AdHealthAgentInformation


Get-AdfsServerConfiguration

ADFSSyncProperties                        : Microsoft.IdentityServer.Management.Resources.SyncPropertiesBase
ADFSAttributeStore                        : {Microsoft.IdentityServer.Management.Resources.AttributeStore,
                                            Microsoft.IdentityServer.Management.Resources.AttributeStore}
ADFSCertificate                           : {@{Certificate=[Subject]
                                              CN=xxx

                                            [Issuer]
                                              CN=xxx

                                            [Serial Number]
                                              62...D7

                                            [Not Before]
                                              8/21/2017 12:00:00 PM

                                            [Not After]
                                              8/28/2027 12:00:00 PM

                                            [Thumbprint]
                                              24...35
                                            ; CertificateType=Service-Communications; IsPrimary=True; StoreName=My;
                                            StoreLocation=LocalMachine;
                                            Thumbprint=24...35},
                                            @{Certificate=[Subject]
                                              CN=ADFS Encryption - xxx

                                            [Issuer]
                                              CN=ADFS Encryption - xxx

                                            [Serial Number]
                                              70...6B

                                            [Not Before]
                                              11/2/2017 8:31:02 PM

                                            [Not After]
                                              11/2/2018 8:31:02 PM

                                            [Thumbprint]
                                              ED...13
                                            ; CertificateType=Token-Decrypting; IsPrimary=True; StoreName=My;
                                            StoreLocation=CurrentUser;
                                            Thumbprint=ED...13},
                                            @{Certificate=[Subject]
                                              CN=ADFS Signing - xxx

                                            [Issuer]
                                              CN=ADFS Signing - xxx

                                            [Serial Number]
                                              6B...00

                                            [Not Before]
                                              11/2/2017 8:31:14 PM

                                            [Not After]
                                              11/2/2018 8:31:14 PM

                                            [Thumbprint]
                                              D1...F3
                                            ; CertificateType=Token-Signing; IsPrimary=True; StoreName=My;
                                            StoreLocation=CurrentUser;
                                            Thumbprint=D1...F3},
                                            @{Certificate=[Subject]
                                              CN=ADFS Encryption - xxx

                                            [Issuer]
                                              CN=ADFS Encryption - xxx

                                            [Serial Number]
                                              4C...95

                                            [Not Before]
                                              11/22/2016 7:34:42 PM

                                            [Not After]
                                              11/22/2017 7:34:42 PM

                                            [Thumbprint]
                                              94...35
                                            ; CertificateType=Token-Decrypting; IsPrimary=False; StoreName=My;
                                            StoreLocation=CurrentUser;
                                            Thumbprint=94...35}...}
ADFSClaimDescription                      : {Microsoft.IdentityServer.Management.Resources.ClaimDescription,
                                            Microsoft.IdentityServer.Management.Resources.ClaimDescription,
                                            Microsoft.IdentityServer.Management.Resources.ClaimDescription,
                                            Microsoft.IdentityServer.Management.Resources.ClaimDescription...}
ADFSEndpoint                              : {Microsoft.IdentityServer.Management.Resources.Endpoint,
                                            Microsoft.IdentityServer.Management.Resources.Endpoint,
                                            Microsoft.IdentityServer.Management.Resources.Endpoint,
                                            Microsoft.IdentityServer.Management.Resources.Endpoint...}
ADFSProperties                            : Microsoft.IdentityServer.Management.Resources.ServiceProperties
ADFSRelyingPartyTrustCount                : 4
ADFSClaimsProviderTrustCount              : 6
ADFSConfigurationDatabaseConnectionString : Data Source=np:\\.\pipe\microsoft##wid\tsql\query;Initial
                                            Catalog=AdfsConfigurationV3;Integrated Security=True
AdfssrvServiceAccount                     : DEV\xxx
AdfsVersion                               : 3.0
AadTrustStatus                            : Not Configured
ADFSAdditionalAuthenticationRule          :
ADFSClient                                : {Microsoft.IdentityServer.Management.Resources.AdfsClient,
                                            Microsoft.IdentityServer.Management.Resources.AdfsClient,
                                            Microsoft.IdentityServer.Management.Resources.AdfsClient,
                                            Microsoft.IdentityServer.Management.Resources.AdfsClient...}
ADFSGlobalAuthenticationPolicy            : Microsoft.IdentityServer.Management.Resources.AdfsGlobalAuthenticationPolic
                                            y
ADFSDeviceRegistration                    : Microsoft.IdentityServer.Management.Resources.DeviceRegistrationServiceObject


Test-AdfsServerHealth | ft Name,Result  -AutoSize

Name                                                         Result
----                                                         ------
IsAdfsRunning                                                  Pass
IsWidRunning                                                   Pass
PingFederationMetadata                                         Pass
CheckAdfsSslBindings                                           Pass
Test-Certificate-Token-Decrypting-Primary-NotFoundInStore    NotRun
Test-Certificate-Token-Decrypting-Primary-IsSelfSigned       NotRun
Test-Certificate-Token-Decrypting-Primary-PrivateKeyAbsent   NotRun
Test-Certificate-Token-Decrypting-Primary-Expired              Pass
Test-Certificate-Token-Decrypting-Primary-Revoked              Pass
Test-Certificate-Token-Decrypting-Primary-AboutToExpire      NotRun
Test-Certificate-Token-Signing-Primary-NotFoundInStore       NotRun
Test-Certificate-Token-Signing-Primary-IsSelfSigned          NotRun
Test-Certificate-Token-Signing-Primary-PrivateKeyAbsent      NotRun
Test-Certificate-Token-Signing-Primary-Expired                 Pass
Test-Certificate-Token-Signing-Primary-Revoked                 Pass
Test-Certificate-Token-Signing-Primary-AboutToExpire         NotRun
Test-Certificate-SSL-Primary-NotFoundInStore                   Pass
Test-Certificate-SSL-Primary-IsSelfSigned                      Fail
Test-Certificate-SSL-Primary-PrivateKeyAbsent                  Pass
Test-Certificate-SSL-Primary-Expired                           Pass
Test-Certificate-SSL-Primary-Revoked                           Pass
Test-Certificate-SSL-Primary-AboutToExpire                     Pass
Test-Certificate-Token-Decrypting-Secondary-NotFoundInStore  NotRun
Test-Certificate-Token-Decrypting-Secondary-IsSelfSigned     NotRun
Test-Certificate-Token-Decrypting-Secondary-PrivateKeyAbsent NotRun
Test-Certificate-Token-Decrypting-Secondary-Expired            Pass
Test-Certificate-Token-Decrypting-Secondary-Revoked            Pass
Test-Certificate-Token-Decrypting-Secondary-AboutToExpire    NotRun
Test-Certificate-Token-Signing-Secondary-NotFoundInStore     NotRun
Test-Certificate-Token-Signing-Secondary-IsSelfSigned        NotRun
Test-Certificate-Token-Signing-Secondary-PrivateKeyAbsent    NotRun
Test-Certificate-Token-Signing-Secondary-Expired               Pass
Test-Certificate-Token-Signing-Secondary-Revoked               Pass
Test-Certificate-Token-Signing-Secondary-AboutToExpire       NotRun
CheckFarmDNSHostResolution                                     Pass
CheckDuplicateSPN                                              Pass
TestServiceAccountProperties                                   Pass
TestAppPoolIDMatchesServiceID                                NotRun
TestComputerNameEqFarmName                                     Pass
TestSSLUsingADFSPort                                         NotRun
TestSSLCertSubjectContainsADFSFarmName                         Pass
TestAdfsAuditPolicyEnabled                                     Fail
TestAdfsRequestToken                                           Pass
CheckOffice365Endpoints                                        Pass
TestADFSO365RelyingParty                                     NotRun
TestNtlmOnlySupportedClientAtProxyEnabled                      Fail


Test-AdfsServerHealth | where {$_.Result -eq "Fail"} | fl

Name             : Test-Certificate-SSL-Primary-IsSelfSigned
Result           : Fail
Detail           : SSL certificate with thumbprint 24...35 is self-signed.
Output           : {Thumbprint}
ExceptionMessage :

Name             : TestAdfsAuditPolicyEnabled
Result           : Fail
Detail           : Audits are not configured for Usage data collection : Expected 'Success and Failure', Actual='No
                   Auditing'
Output           : {StsAuditConfig, MachineAuditPolicy}
ExceptionMessage :

Name             : TestNtlmOnlySupportedClientAtProxyEnabled
Result           : Fail
Detail           : NtlmOnlySupportedClientAtProxy is disabled; extranet users can experience authentication failure.

Output           : {NtlmOnlySupportedClientAtProxy}
ExceptionMessage :


More examples here.

Enjoy!

No comments: