# Check-ADFS # # Validate ADFS Function # # 20150504 Frank@carius.de initial Version for Signing Cert # 20160106 Frank@carius.de Update with PRTG Output and # 20220203 Erweiterung um ADFS-Cluster Einzelservercheck (Tipp von Spanninger Sebastian) und $sender ersetzt param ( [Parameter(Mandatory=$true,HelpMessage="Specify the FQDN of the ADFS-Server or ADFS-Pool")] [string]$serverfqdn, # Name des ADFS-Pool der Servers [string]$hostname, # Optional Name des individuellen Servers im Pool [int]$sslport = 443, [string]$federationurl = "", [switch]$prtgmode = $false ) $error.Clear() Write-host "Check-ADFS: Start" Write-host "Check-ADFS: Parameter serverfqdn:$serverfqdn" Write-host "Check-ADFS: Parameter hostname:$hostname" Write-host "Check-ADFS: Parameter sslport:$sslport" Write-host "Check-ADFS: Parameter federationurl:$federationurl" Write-host "Check-ADFS: Parameter prtgmode:$prtgmode" if (!$hostname) { Write-Host " Info:Using Serverfqdn $($serverfqdn) as Hostname" $hostname=$serverfqdn } if ($PSScriptRoot.EndsWith("EXEXML")) { write-host "Check-ADFS: Assume PRTG EXEXML-Mode" $prtgmode = $true $result="`r`n" } else { Set-PSDEBUG -strict # enable strict variable checking. Not usable with PRTG } write-host "Check-ADFS: Checking HTTPS-Server Certificate for Server $serverfqdn on Port $sslport" $tcpsocket = New-Object Net.Sockets.TcpClient($serverfqdn,$sslport) if(!$tcpsocket) { Write-Error " No Connection to Host:$computername Port:$sslport" } else { write-host "Successfully Connected to $computername Port:$sslport" $tcpstream = $tcpsocket.GetStream() Write-host "Reading SSL Certificate...." $sslStream = New-Object System.Net.Security.SslStream($tcpstream,$false) $sslStream = New-Object System.Net.Security.SslStream($tcpstream,$false, { param($remotesystem, $certificate, $chain, $sslPolicyErrors) return $true } ) $sslStream.AuthenticateAsClient($serverfqdn) # trigger certificate to be send $httpscert = New-Object system.security.cryptography.x509certificates.x509certificate2($sslStream.RemoteCertificate) write-host (" Expirationdays:" + ([datetime]($httpscert.NotAfter) - (get-date)).days) if ($prtgmode) { $result+=" `r`n" $result+=" HTTPSCertDays`r`n" $result+=" "+(([datetime]($httpscert.NotAfter) - (get-date)).days)+"`r`n" $result+=" Days`r`n" $result+=" Absolute`r`n" $result+=" 0`r`n" $result+=" `r`n" $result+=" ADFS-Health`r`n" } } if ($federationurl -eq "") { $federationurl= ("https://"+$hostname+":"+$sslport+"/federationmetadata/2007-06/federationmetadata.xml") write-host " Federationdoc generated" } write-host " Retrieving Federationdoc from $($federationurl)" try { [xml]$xmlresult = Invoke-RestMethod ` -method GET ` -uri $federationurl ` -Headers @{"Host"=$serverfqdn} $certbase64=$xmlresult.EntityDescriptor.Signature.KeyInfo.X509Data.X509Certificate $certarray = [System.convert]::FromBase64String($certbase64) #$cert = new-object System.Security.Cryptography.X509Certificates.X509Certificate2($certarray) $cert = new-object System.Security.Cryptography.X509Certificates.X509Certificate2 -ArgumentList @(,$certarray) write-host (" Expirationdays:" + ([datetime]($cert.NotAfter) - (get-date)).days) if ($prtgmode) { $result+=" `r`n" $result+=" SigningCertDays`r`n" $result+=" "+(([datetime]($cert.NotAfter) - (get-date)).days)+"`r`n" $result+=" Days`r`n" $result+=" Absolute`r`n" $result+=" 0`r`n" $result+=" `r`n" $result+=" ADFS-Health`r`n" } } catch { write-host "Error retrieving federation xml" } if ($prtgmode) { write-host "Check-ADFS: Sending Result as PRTG EXEXML" $result+=" ADFS-Health`r`n" $result+="" $result } if ($error) { Write-Host "Found $($error.count) Errors Exitcode 1" EXIT 1 } Write-host "Check-ADFS: End"