Sie sind auf Seite 1von 39

Active Directory Federation Services

Management Pack Guide


Microsoft Corporation
Published: June 2010
Updated: December 2016
Send suggestions and comments about this document to mpgfeed@microsoft.com. Please
include the Management Pack guide name with your feedback.
Copyright
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the companies, organizations, products, domain
names, e-mail addresses, logos, people, places, and events depicted in examples herein are
fictitious. No association with any real company, organization, product, domain name, e-mail
address, logo, person, place, or event is intended or should be inferred. Complying with all
applicable copyright laws is the responsibility of the user. Without limiting the rights under
copyright, no part of this document may be reproduced, stored in or introduced into a retrieval
system, or transmitted in any form or by any means (electronic, mechanical, photocopying,
recording, or otherwise), or for any purpose, without the express written permission of Microsoft
Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
© 2012 Microsoft Corporation. All rights reserved.
Microsoft, MS-DOS, Windows, Windows Server, and Active Directory are either registered
trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
All other trademarks are property of their respective owners.

Revision History
Release Date Changes

December 2016 AD FS MP 2016 Released, document updated


to reflect the new MP version.

September 2012 AD FS MP updated to enable the AD FS MP to


monitor AD FS 2.1 in Windows Server 2012 in
addition to AD FS 2.0 that is included Windows
Server 2008 R2.

June 2010 Original release of this guide


Contents
Introduction to the AD FS Management Pack ................................................................................. 4
Supported Configurations ............................................................................................................ 4
Changes in This Update ............................................................... Error! Bookmark not defined.

Getting Started................................................................................................................................. 5
Before You Import the Management Pack ................................................................................... 5
Files in This Management Pack ................................................................................................ 5
Recommended Additional Management Packs ........................................................................ 6
How to Import the AD FS Management Pack .............................................................................. 6
Initial Configuration....................................................................................................................... 6
Create a New Management Pack for Customizations .............................................................. 6
Perform Discoveries for Monitored Components ...................................................................... 7

Optional Configuration ..................................................................................................................... 8

Security Considerations ................................................................................................................... 8


Low-Privilege Environments ......................................................................................................... 9

Understanding Management Pack Operations ............................................................................... 9


Objects That the AD FS Management Pack Discovers ............................................................... 9
Classes ....................................................................................................................................... 10
Key Monitoring Scenarios .......................................................................................................... 12
Token-Issuance Failures Scenario ......................................................................................... 12
Token-Acceptance Failures Scenario ..................................................................................... 19
Trust Management Failures Scenario..................................................................................... 21
Web Site Failures Scenario .................................................................................................... 24
Windows Internal Database (WID) Synchronization Failures Scenario ................................. 26
Certificate Management Failures Scenarios ........................................................................... 27
General Federation Server Failures Scenario ........................................................................ 27
General Federation Server Proxy Failures Scenario .............................................................. 31
Known Issues ............................................................................................................................. 32

Appendix: Scripts ........................................................................................................................... 32


Introduction to the AD FS Management Pack
The Active Directory Federation Services (AD FS) Management Pack provides both proactive
and reactive monitoring of your AD FS deployment for both the federation server and the
federation server proxy roles. The management pack monitors events that the AD FS Windows
service records in the AD FS event logs, and it monitors the performance data that the AD FS
performance counters collect. It also monitors the overall health of the AD FS system and the
federation passive application, and it provides alerts for critical issues and warning issues.
This management pack includes monitoring of the following core components: token issuance,
token acceptance, artifact service, Web sites, trust management, certificate rollover, and
Windows Internal Database synchronization. For example, the AD FS Management Pack
monitors the following:
 Events that indicate service outages and operational errors or warnings
 Alerts that indicate configuration issues and background tasks failures or warnings
 Whether auditing is occurring successfully
 Communication between the federation server and the federation server proxy
 Notification of malformed access requests
 Web site availability
 The health of the Secure Sockets Layer (SSL) certificate of the federation passive Web site in
Internet Information Services (IIS) (located at <ComputerName>\Sites\Default Web
Site\adfs\ls).

Document Version
This guide was written based on the 10.0.0.0 version of the AD FS 2016 Management Pack.
Before you install the updated ADFS Management Pack (v10.0.0.0), remove any existing ADFS
Management Packs.

Getting the Latest Management Pack and


Documentation
You can find the AD FS Management Pack in the Microsoft Management Packs Catalog
(http://go.microsoft.com/fwlink/?LinkId=82105).

Supported Configurations
The Active Directory Federation Services (AD FS) Management Pack is supported on the
operating system configurations in the following table.

4
Configuration Support

Windows Server 2008 32-bit and 64-bit

Windows Server 2008 R2 64-bit

Windows Server 2012 64-bit

Windows Server 2012R2

Windows Server 2016

All support is subject to the Microsoft overall Help and Support


(http://go.microsoft.com/fwlink/?Linkid=26134) and the System Center Operations Manager 2012
(https://technet.microsoft.com/en-us/library/hh205990.aspx) TechNet article.

Getting Started
This section describes the actions that you should take before you import the Active Directory
Federation Services (AD FS) Management Pack, any steps that you should take after you import
the AD FS Management Pack, and information about customizations.

Before You Import the Management Pack


Before you import the Active Directory Federation Services (AD FS) Management Pack, take the
following actions:
 Before you install the updated ADFS Management Pack (v10.0.0.0), remove any existing
ADFS Management Packs.
 Install System Center Operations Manager 2012 or newer.
 Using the Add Role Services Wizard in Server Manager, verify that the IIS 6 Management
Compatibility and IIS 6 Metabase Compatibility role services are installed. (Some AD FS
scripts depend on Internet Information Services (IIS) Windows Management Instrumentation
(WMI) objects being installed.)

Files in This Management Pack


The Active Directory Federation Services (AD FS) Management Pack includes the following files:
 Microsoft System Center Management Pack for ADFS 2016.msi
 Microsoft System Center Management Pack for ADFS 2016 CHS.msi
 Microsoft System Center Management Pack for ADFS 2016 CHT.msi
 Microsoft System Center Management Pack for ADFS 2016 CSY.msi
 Microsoft System Center Management Pack for ADFS 2016 DEU.msi
 Microsoft System Center Management Pack for ADFS 2016 ESN.msi

5
 Microsoft System Center Management Pack for ADFS 2016 FRA.msi
 Microsoft System Center Management Pack for ADFS 2016 HUN.msi
 Microsoft System Center Management Pack for ADFS 2016 ITA.msi
 Microsoft System Center Management Pack for ADFS 2016 JPN.msi
 Microsoft System Center Management Pack for ADFS 2016 KOR.msi
 Microsoft System Center Management Pack for ADFS 2016 NLD.msi
 Microsoft System Center Management Pack for ADFS 2016 PLK.msi
 Microsoft System Center Management Pack for ADFS 2016 PTB.msi
 Microsoft System Center Management Pack for ADFS 2016 PTG.msi
 Microsoft System Center Management Pack for ADFS 2016 RUS.msi
 Microsoft System Center Management Pack for ADFS 2016 SVE.msi
 Microsoft System Center Management Pack for ADFS 2016 TRK.msi

Recommended Additional Management Packs


Although no further management packs are required for the Active Directory Federation Services
(AD FS) Management Pack to perform, the following management packs might be of interest
because they monitor services that complement the AD FS services:
 System Center 2012 Management Pack for Microsoft Windows Server 2012 Internet
Information Service 8 (https://www.microsoft.com/en-
us/download/details.aspx?id=34767)
 Microsoft System Center Management Pack for SQL Server
(https://www.microsoft.com/en-us/download/details.aspx?id=10631)

How to Import the AD FS Management Pack


For instructions about importing a management pack, see How to Import a Management Pack
(https://technet.microsoft.com/en-us/library/hh212691(v=sc.12).aspx).

Initial Configuration
After the Active Directory Federation Services (AD FS) Management Pack is imported, follow
these procedures to finish your initial configuration:
1. Create a new management pack in which to store overrides and other customizations.
2. Perform discoveries for monitored components.

Create a New Management Pack for Customizations


Most vendor management packs are sealed so that you cannot change any of the original
settings in the management pack file. However, you can create customizations, such as overrides

6
or new monitoring objects, and save them to a different management pack. By default, System
Center Operations Manager 2012 saves all customizations to the Default Management Pack. As
a best practice, you should instead create a separate management pack for each sealed
management pack that you want to customize.
Creating a new management pack for storing overrides has the following advantages:
 It simplifies the process of exporting customizations that were created in your test and
preproduction environments to your production environment. For example, instead of
exporting the Default Management Pack that contains customizations from multiple
management packs, you can export just the management pack that contains customizations
of a single management pack.
 You can delete the original management pack without first having to delete the Default
Management Pack. A management pack that contains customizations depends on the
original management pack. This dependency requires you to delete the management pack
with customizations before you can delete the original management pack. If all your
customizations are saved to the Default Management Pack, you must delete the Default
Management Pack before you can delete an original management pack.
 It is easier to track and update customizations to individual management packs.
For more information about sealed and unsealed management packs, see Management Pack
Formats (http://go.microsoft.com/fwlink/?LinkId=108355).

Perform Discoveries for Monitored Components


You must configure the Agent or Operation Manager server so that it has the permission to
perform discoveries for the components that are monitored. When you do this, ensure that both
the Agent and Operation Manager have the Allow this server/agent to act as proxy and
discover managed objects on other computers option enabled.

To configure the Agent


1. Open the Operations Console of the Operation Manager.
2. In the left panel, click the Administration tab.
3. Click Device Management, and then click Agent Managed.
4. In the right panel, click the agent that you want to configure, and then click Properties.
5. On the Agent Properties page, click the Security tab.
6. Make sure that the Allow this agent to act as a proxy and discover managed objects
on other computers check box is selected.

To configure the Operation Manager


1. Open the Operations Console of the Operation Manager.
2. In the left panel, click the Administration tab.
3. Click Device Management, and then click Management Servers.
4. In the right panel, click the agent that you want to configure, and then click Properties.

7
5. On the Management Server Properties page, click the Security tab.
6. Make sure that the Allow this server to act as a proxy and discover managed
objects on other computers check box is selected.

Optional Configuration

Enable monitoring of authorization rules


Depending on how Active Directory Federation Services (AD FS) was deployed in your
organization, you may want to enable the ability to monitor how authorization claim rules are
working in your organization. Microsoft assumes that administrators, before putting AD FS into
production, configured the user authorization claim rules properly, and any denial of access that
users experience is a result of the authorization claim rules that were configured.
The following rules are disabled by default in the AD FS management pack:
 On Behalf Of Authorization Error
 Caller Authorization Error
 Act As Authorization Error
You can enable these rules by performing the following procedure.

To enable rules
1. Open the Operations Console of the Operation Manager.
2. Click the Authoring tab in the left panel.
3. Click Management Pack Objects, and then click Rules.
4. In the list of rules, locate the rule that you want to enable under Type: Token Issuance,
right-click the rule, point to Overrides, point to Override the Rule, and then click For all
objects of class: Token issuance.

Security Considerations
You may need to customize your Active Directory Federation Services (AD FS) Management
Pack. Certain accounts cannot be run in a low-privilege environment, or they must have minimum
permissions.

8
Low-Privilege Environments
So that each of the client-side monitoring scripts can run successfully, the Action Account must
be a member of the Administrators group or a Local System account on the Agent computer on
which Active Directory Federation Services (AD FS) is running.

Understanding Management Pack Operations


This section provides additional information about the types of objects that the Active Directory
Federation Services (AD FS) Management Pack discovers and about the classes that are
involved. It also explains the concepts that are introduced in the Key Monitoring Scenarios
section.

Objects That the AD FS Management Pack


Discovers
The Active Directory Federation Services (AD FS) Management Pack discovers the object types
in the following table. The table indicates which object types are discovered, depending on the
role of AD FS (either the federation server role or the federation server proxy role) on the
discovered computer.

Role Object type

Federation server Federation Server Seed

Federation server AD FS 2016

Federation server Federation Service

Federation server Federation Server

Federation server Authentication

Federation server Certificate Management

Federation server Trust Management

Federation server Web Sites

Federation server WID Sync

Federation server Artifact Service

Federation server Token Acceptance

Federation server Token Issuance

Federation server proxy Federation Server Proxy Seed

9
Role Object type

Federation server proxy AD FS 2016

Federation server proxy Federation Server Proxies

Federation server proxy Federation Server Proxy

Federation server proxy Authentication

Federation server proxy Web Sites

The Federation Server Seed or Federation Server Proxy Seed object type is discovered when the
federation server or federation server proxy is installed on the monitored computer.
For information about discovering objects, see Operations Manager Management Pack Authoring
- Discovery (http://social.technet.microsoft.com/wiki/contents/articles/14260.operations-manager-
management-pack-authoring-discovery.aspx).

Classes
The following diagram shows the classes that are defined in the Active Directory Federation
Services (AD FS) Management Pack.

10
Abstract classes
Abstract classes have no instances, and they exist only to act as a base class for other classes.
With this in mind, the class Microsoft.ActiveDirectoryFederationServices.FederationServer, and
all the classes that it hosts, inherit from an abstract class named
Microsoft.ActiveDirectoryFederationServices.FederationServerBase.
Similarly, the class Microsoft.ActiveDirectoryFederationServices.FederationServerProxy, and all
the classes that it hosts, inherit from an abstract class named
Microsoft.ActiveDirectoryFederationServices.FederationServerProxyBase.
Both Microsoft.ActiveDirectoryFederationServices.FederationServer and
Microsoft.ActiveDirectoryFederationServices.FederationServerBase inherit from another abstract

11
class named
Microsoft.ActiveDirectoryFederationServices.ActiveDirectoryFederationServicesBase.

Key Monitoring Scenarios


The following tables list the Sub-Scenarios for monitors/rules that the Active Directory Federation
Services (AD FS) Management Pack has implemented for key higher-level monitoring scenarios.
If there are failures in those scenarios or if a success event indicates a warning, an alert is
generated.
In some cases, the alerts are suppressed so that only one alert is generated when many
failures/warnings with the same root cause occur. (See the Alert suppression column in the
tables in this section.) For event-based monitors/rules, the event is counted before generating an
alert for the intermittent failures. (See the Event counting column in the tables in this section.)

Note
Alert suppression applies only to rules. Event counting applies to only monitors.

Token-Issuance Failures Scenario


The monitors/rules in the following table monitor the token-issuance failures that are observed on
the federation server proxy computer and in the Federation Service for warning events that are
related to token issuance.

Sub-Scenario Rule/monitor name Alert suppression Event counting

Artifact: Failed to Artifact Database N/A No


connect to the artifact Connection Open Error
database.

Artifact: Failed to get Artifact Database Get N/A No


artifacts from the artifact Error
database.

Artifact: Failed to add Artifact Database Add N/A No


artifacts to the artifact Error
database.

Artifact: Failed to Artifact Database N/A If the same failures


remove artifacts from Remove Error happen at least 30
the artifact database. times within an
hour

Artifact: The Artifact Artifact Service Startup N/A No


service failed to start. Exception

Artifact: The SAML Artifact Requested But Suppress if the failures N/A
artifact resolution are with the same
12
Sub-Scenario Rule/monitor name Alert suppression Event counting
service is not enabled Disabled Error relying party
for the relying party.

Artifact resolution Artifact Resolution Suppress if the same N/A


request: The SAML Endpoint Not failures happen
artifact resolution Configured Error
endpoint is not
configured, or it is
disabled.

Artifact resolution Artifact Resolution Suppress if the failures N/A


request: The SAML Service Identity Not are with the same
artifact resolution Found Error relying party
request specified an
issuer that is not
configured for the
relying party.

Artifact resolution Artifact Resolution N/A No


request: The SAML Failed
artifact resolution
request failed.

Artifact resolution SAML Artifact Suppress if the failures N/A


request: The Federation Resolution Request are with the same
Service was unable to Error claims provider
issue a token because
the SAML artifact could
not be resolved. Artifact
resolution request that
was made to the claims
provider trust failed.

Artifact resolution SAML Artifact Suppress if the failures N/A


request: Claims Resolution Endpoint Not are with the same
provider does not have Found Error claims provider
a SAML artifact
resolution endpoint with
the specified index
configured. Artifact
resolution failed.

Assertion Consumer Unmatched Assertion Suppress if the failures N/A


Service: The SAML Consumer Service are with the same
request specified an relying party and the

13
Sub-Scenario Rule/monitor name Alert suppression Event counting
assertion consumer Index same assertion
service index that is not consumer service
configured on the index
relying party.

Assertion Consumer Unmatched Assertion Suppress if the failures N/A


Service: The assertion Consumer Service are with the same
consumer service Protocol Binding relying party and the
protocol binding same assertion
endpoint specified in consumer service
the SAML request is not protocol binding
configured on the
relying party.

Assertion Consumer Unmatched Assertion Suppress if the failures N/A


Service: The assertion Consumer Service URL are with the same
consumer service URL relying party and the
specified in the SAML same assertion
request is not consumer service URL
configured on the
relying party.

Assertion Consumer Assertion Consumer Suppress if the failures N/A


Service: The assertion Service Endpoint Was are with the same
consumer service Not Configured relying party
endpoint specified in
the SAML request is not
configured on the
relying party.

Assertion Consumer Configuration Missing Suppress if the failures N/A


Service: The relying SAML Assertion are with the same
party is not configured Consumer Services relying party
with SAML assertion Error
consumer services.

Attribute store: The Attribute Store Load Suppress if the failures N/A
attribute store that is Failure are with the same
configured in the attribute store
Federation Service
could not be loaded.

Attribute store: An error SQL Attribute Store Suppress if the failures N/A
occurred during an Query Execution Error are with the same SQL
attempt to execute a attribute store and the

14
Sub-Scenario Rule/monitor name Alert suppression Event counting
query to the SQL same query
attribute store.

Attribute store: A Attribute Store Rule N/A No


processing error Processing Error
occurred in the attribute
store or in the attribute
store rule.

Authorization: The On Behalf Of Suppress if the failures N/A


Federation Service Authorization Error are with the same
could not authorize caller, the same
token issuance for the subject, and the same
caller on behalf of the relying party
subject to the relying
party.

Authorization: The Caller Authorization Suppress if the failures N/A


Federation Service Error are with the same
could not authorize caller and the same
token issuance for the relying party
caller to the relying
party.

Certificate: The token- Relying Party Signing Suppress if the failures N/A
signing certificate for Certificate Is Not Valid are with the same
the relying party is not relying party and the
valid. same thumbprint

Certificate: The service Certificate Private Key N/A No


account that the Inaccessible Error
AD FS 2016 Windows
Service uses does not
have permission to the
private key of its token-
signing certificates
and/or its token-
decrypting certificates.

Certificate: An error Relying Party Suppress if the failures N/A


occurred during an Encryption Certificate are with the same
attempt to build the Error relying party and with
certificate chain for the the same thumbprint
relying party trust using
the encryption

15
Sub-Scenario Rule/monitor name Alert suppression Event counting
certificate that was
identified by a
thumbprint.

Certificate: An error Client Certificate CRL Suppress if the failures N/A


occurred while the Check Failure are with the same
certificate chain for the thumbprint
client certificate that is
identified by the
thumbprint was being
built.

Domain controller: The LDAP Lookup Error Suppress if the failures N/A
Federation Service are with the same
failed to find a domain domain controller
controller in the domain.

Endpoint: The WS- MEX Endpoint Is N/A N/A


Metadata Exchange Unreachable
(MEX) endpoint that is
used for authentication
over SOAP and HTTP
protocols is not
reachable.

Endpoint: The Proxy MEX Endpoint Is N/A N/A


federation server proxy Unreachable
WS-Metadata
Exchange (MEX)
endpoint on the
federation server is
unreachable.

Federation passive: A Federation Passive N/A No


communication error Service Communication
occurred during an Error
attempt to get a token
from the Federation
Service.

Federation passive: An Federation Passive N/A No


error occurred during Request Failed
the federation passive
request.

16
Sub-Scenario Rule/monitor name Alert suppression Event counting

Federation passive: An Federation Passive N/A No


error occurred during Sign-Out Error on the
the federation passive Federation Server Proxy
sign-out.

Federation passive: A Federation Passive N/A No


communication error Service Communication
occurred during an Error on the Federation
attempt to get a token Server Proxy
from the Federation
Service.

Federation passive: An Federation Passive N/A No


error occurred during Request Failed on the
the federation passive Federation Server Proxy
request.

Global catalog server: Global Catalog Server Suppress if the failures N/A
The Federation Service Connection Error are with the same
failed to connect to a global catalog server
global catalog server.

Global catalog server: LDAP Global Catalog Suppress if the failures N/A
The Federation Service Server Error are with the same
failed to query a global global catalog server
catalog server.

LDAP server: The LDAP Connection Error Suppress if the failures N/A
Federation Service are with the same
failed to connect to an LDAP server
LDAP server.

LDAP server: The LDAP Server Query Suppress if the failures N/A
Federation Service Error are with the same
failed to query an LDAP LDAP server
server.

NameID policy: The Unsupported NameID Suppress if the failures N/A


federation server Policy are with the same
cannot process the relying party and the
SAML authentication same NameID policy
request because the
NameID policy that was
specified in the
authentication request

17
Sub-Scenario Rule/monitor name Alert suppression Event counting
cannot be satisfied.

SAML request: The SAML Request N/A No


Federation Service Processing Error
encountered an error
while processing the
SAML authentication
request.

Security: The token that Weak Signature Suppress if the failures N/A
was used to Algorithm Error are with the same
authenticate the user or issuer
the request is signed
with the signature
algorithm, which is not
the expected signature
algorithm.

Security: The SAML Weak Signature Suppress if the failures N/A


artifact resolution Algorithm Error in are with the same
request is signed with Artifact Resolution relying party
the signature algorithm, Request
which is not the
expected signature
algorithm.

Security: The SAML Weak Signature Suppress if the same N/A


request is signed with Algorithm Error in SAML failures happen
the signature algorithm, Request
which is not the
expected signature
algorithm.

Security: The Invalid Authentication Suppress if the failures N/A


Federation Service Type are with the same
could not satisfy a token relying party and the
request because the same authentication
authentication type type
requirement for the
relying party was not
met.

Signature verification: SAML Request Suppress if the failures N/A


The verification of the Signature Verification are with the same
SAML message

18
Sub-Scenario Rule/monitor name Alert suppression Event counting
signature from message Error message issuer
issuer failed.

Signature verification: Artifact Resolution Suppress if the same N/A


The artifact resolution Service Signature failures happen
service could not verify Verification Error
the request signature.

Trust: The trust Federation Server Proxy No N/A


between the federation Trust Was Established
server proxy and the Successfully
Federation Service was
established
successfully.

WS-Trust request: The WS-Trust Request N/A No


Federation Service Processing Error
encountered an error
during an attempt to
process the WS-Trust
request.

Token-Acceptance Failures Scenario


The monitors/rules in the following table monitor the token acceptance failures in the Federation
Service and other warning events. Some of the failures will cause token issuance to fail as well.

Sub-Scenario Rule/monitor name Alert suppression Event counting

Artifact resolution Missing Artifact Suppress if the N/A


request: The claims Resolution Service failures are with the
provider trust does not Endpoint same claims provider
have the SAML artifact
resolution service
endpoint configured.
SAML artifact resolution
failed.

Certificate: The token- Claims Provider Suppress if the N/A


signing certificate for the Signing Certificate Is failures are with the
claims provider is not Not Valid same claims provider
valid. and the same
thumbprint

19
Sub-Scenario Rule/monitor name Alert suppression Event counting

Certificate: Cannot find Claims Provider Suppress if the N/A


the certificate that is Signing Certificate failures are with the
used to validate the Cannot Be Found same claims provider
token/message
signature that was
obtained from the claims
provider. Token
acceptance and token
issuance failed.

Certificate: The Claims Provider Suppress if the N/A


encryption certificate of Encryption Certificate failures are with the
the claims provider is not Is Not Valid same claims provider
valid. SAML logout
failed.

Federation passive: An Federation Passive N/A No


error occurred during Sign-Out Error
federation passive sign-
out.

Federation passive: An SAML Logout Error Suppress if the N/A


error occurred during the failures are with the
processing of the SAML same logout initiator
logout request. identity and caller
identity

Federation passive: The SAML Logout Name Suppress if the N/A


SAML Single Logout Identifier Not Found failures are with the
request does not Error same requester and
correspond to the the same name
logged-in session identifier
participant.

Signature verification: Artifact Response Suppress if the N/A


Failed to verify the Failed Signature failures are with the
signature of the artifact Check same claims provider
response from claims
provider.

Token reply detection: Token Replay N/A No


The SAML artifact Detection Error
resolution service
encountered an error

20
Sub-Scenario Rule/monitor name Alert suppression Event counting
while trying to perform a
token replay detection.
Token replay detection
failed.

Token validation: The Unmatched Token Suppress if the N/A


token issuer that the key Issuer failures are with the
identifies does not match same claims provider
any known claims
provider trusts that have
been configured for this
Federation Service.

Token validation: The Security Token Not Suppress if the same N/A
NotBefore attribute for Yet Valid Error failures happen
the token that was
received has a value that
is set to a future time
that has not yet
occurred.

Token validation: The Invalid Audience URI Suppress if the same N/A
audience URI that is failures happen
specified in the token
does not match
acceptable identifiers of
this Federation Service.

Token validation: Token Security Token N/A No


validation failed. Validation Error

Token validation: A Invalid Issuance N/A No


security token was Instant Error
rejected because the
specified IssueInstant
was before the allowed
time period.

Trust Management Failures Scenario


The monitors/rules in the following table monitor the trust management failures in the Federation
Service and other warning events.

21
Sub-Scenario Rule/monitor name Alert suppression Event counting

Auto-update: The Automatic Update of N/A No


automatic update of the Trust Was
federation metadata for Disabled
one or more trust
configurations has been
disabled while
automatic monitoring
has been enabled. Any
future changes that are
made in the partner
organizations will no
longer be committed
automatically to the trust
configurations on this
Federation Service.

Auto-update: The trust Successful Auto- Suppress if the failures N/A


monitoring service Update with Warning are with the same trust
automatically updated
the trust successfully
with the partner's
published changes.
However, some
metadata was ignored.

Auto-update: The trust Auto-Update Skipped Suppress if the failures N/A


monitoring service with Warning are with the same trust
detected changes in the
federation metadata of
the trust, but it did not
apply the changes
automatically on the
trust partner.

Configuration database Trust Monitoring Write N/A If the same failure


operation: The Error happens more than
AD FS 2016 trust 3 times within 5
monitoring service days
encountered an error
while writing to an
object in the AD FS
configuration database.

22
Sub-Scenario Rule/monitor name Alert suppression Event counting

Configuration database Trust Monitoring Read N/A If the same failure


operation: An error Error happens more than
occurred during an 3 times within 5
attempt to read data days
that is stored in the
AD FS configuration
database. Trust
monitoring was aborted
temporarily, but another
attempt will be made
automatically based on
the monitoring interval
value that was set for all
trusts.

Federation metadata: Trust Monitoring N/A If the same failure


The Federation Service Retrieval Error happens more than
failed to retrieve the 3 times within 5
federation metadata days
document.

Federation metadata: Failed to Create N/A No


The Federation Service Federation Metadata
failed to create the Document
federation metadata
document.

Federation metadata: Error Listening for N/A No


The Federation Service Federation Metadata
was unable to listen for Requests
requests to read the
federation metadata
document as the result
of an unexpected error.

Federation metadata: Federation Metadata N/A If the same failure


The trust monitoring Parsing Error happens more than
service failed to read 3 times within 5
the federation metadata days
document.

Federation metadata: Federation Metadata N/A If the same failure


The trust monitoring Processing Error happens more than
service failed to process 3 times within 5

23
Sub-Scenario Rule/monitor name Alert suppression Event counting
the data in the metadata days
document.

Generic error: An error Trust Monitoring N/A If the same failure


occurred during the Generic Error happens more than
monitoring for a trust. 3 times within 5
Trust monitoring was days
aborted temporarily, but
another attempt will be
made automatically
based on the monitoring
interval value that was
set for all trusts.

Web Site Failures Scenario


The monitors/rules in the following table monitor the federation passive Web site
failures/warnings on the federation server and federation server proxy computers.

Sub-Scenario Rule/monitor name Alert suppression Event counting

Application pool: The AD FS 2016 N/A No


AD FS 2016 Application Pool Is Not
application pool is not Running on the
running in IIS. Federation Server

Application pool: The AD FS 2016 N/A No


AD FS 2016 Application Pool Is Not
application pool is not Running on the
running in IIS on the Federation Server
federation server Proxy
proxy.

IIS Admin Service: The IIS Admin Service Is N/A No


IIS Admin Service is Not Started
not started on the
federation server
proxy.

SSL certificate: The SSL Certificate Error N/A No


SSL certificate that is on the Federation
configured for the Server
federation passive

24
Sub-Scenario Rule/monitor name Alert suppression Event counting
Web site expired or
has been revoked.

SSL certificate: The SSL Certificate N/A No


SSL certificate that is Warning on the
configured for the Federation Server
federation passive
Web site will expire in
20 days.

SSL certificate: A SSL Certificate N/A No


failure occurred during Revocation Check
an attempt to check for Error on the Federation
the revocation status of Server
the SSL certificate that
is configured on the
federation passive
Web site.

SSL certificate: A SSL Certificate N/A No


failure occurred during Revocation Check
an attempt to check for Error on the Federation
the revocation status of Server Proxy
the SSL certificate that
is configured on the
federation passive
Web site.

SSL certificate: The SSL Certificate Error N/A No


SSL certificate that is on the Federation
configured for the Server Proxy
federation passive
Web site expired or
has been revoked.

SSL certificate: The SSL Certificate N/A No


SSL certificate that is Warning on the
configured for the Federation Server
federation passive Proxy
Web site will expire in
20 days.

Web.config: The Federation Passive N/A No


AD FS 2016 federation Web Site Application Is
passive Web site Missing on the

25
Sub-Scenario Rule/monitor name Alert suppression Event counting
application is missing Federation Server
in IIS on the federation
server.

Web.config: The Web Federation Passive N/A No


request failed because Web Config Error
of an error in the
web.config file on the
federation server.

Web.config: The Web Federation Passive N/A No


request failed because Web Config Error on
of an error in the the Federation Server
web.config file on the Proxy
federation server proxy

Windows Internal Database (WID) Synchronization Failures


Scenario
The monitors/rules in the following table monitor the Windows Internal Database (WID)
synchronization failures on the federation server computer in the farm scenario.

Sub-Scenario Rule/monitor name Alert suppression Event counting

Synchronization of the AD FS Configuration N/A If the same failures


data that is stored on the Database Sync Error happen at least 3
primary federation times within 30
server with the data on a minutes
secondary federation
server did not occur.

AD FS 2016 detected Synchronization Suppress if the same N/A


that the Federation Threshold Violation failures happen
Service has more than
100 trusts configured
and that the data in the
AD FS configuration
database for this
Federation Service is
stored and synchronized
using the Windows
Internal Database

26
Sub-Scenario Rule/monitor name Alert suppression Event counting
technology.

Certificate Management Failures Scenarios


The monitors/rules in the following table monitor the certificate management failures in the
Federation Service.

Sub-Scenario Rule/monitor name Alert suppression Event counting

The Federation Additional Certificate Suppress if the failures No


Service failed to load Load Error are with the same
additional certificates. thumbprint

Certificate monitoring Certificate Monitoring N/A No


failed. Failure

General Federation Server Failures Scenario


The monitors/rules in the following table monitor the startup failures and other operation or
configuration failures on the federation server computer or in the Federation Service.

Sub-Scenario Rule/monitor name Alert suppression Event counting

Certificate: The private AD FS 2016 Windows N/A No


key for the token-signing Service Failed to Start
or token-decrypting Because of a Private
certificate that is in the Key
AD FS configuration
database could not be
accessed by the AD FS
service account.

Certificate: The AD FS 2016 Windows N/A No


certificate that is Service Failed to Start
configured in the Because of Missing
Federation Service Certificate
configuration could not
be found. The
AD FS 2016 Windows
Service failed to start.

Certificate: The AD FS 2016 Windows N/A No


certificate that was Service Failed to Start
27
Sub-Scenario Rule/monitor name Alert suppression Event counting
configured in the Because of a Nonunique
Federation Service was Certificate
not unique. The
AD FS 2016 Windows
Service failed to start.

Certificate: The Certificate Load Warning Suppress if the No


certificate that is failures are with the
identified by the same certificate
thumbprint could not be
found in the certificate
store of Localmachine
"My" store.

Certificate: An error Certificate Validation Suppress if the No


occurred during an Failure failures are with the
attempt to build the same thumbprint
certificate chain for the
configuration certificate
that is identified by the
thumbprint.

Certificate: AD FS 2016 Configuration Has N/A No


detected that one or Expired Certificates
more certificates in the Warning
AD FS configuration
database must be
updated manually
because they are
expired or will expire
soon.

Certificate: AD FS 2016 Trusts Have Expired N/A No


detected that one or Certificates Warning
more of your trusts
require their certificates
to be updated manually
because they are
expired or will expire
soon.

Certificate: The AD FS 2016 Windows N/A No


AD FS 2016 Windows Service Failed to Start
Service failed to start Because of Invalid

28
Sub-Scenario Rule/monitor name Alert suppression Event counting
because one of the Certificate
configured certificates is
not valid or has expired.

Configuration: The AD FS 2016 Windows N/A No


element '%1' in the Service Failed to Start
AD FS 2016 service Because of a Bad
configuration file has Configuration Format
invalid data. The
AD FS 2016 Windows
Service failed to start.

Configuration: The AD FS 2016 Windows N/A No


required element in the Service Failed to Start
AD FS 2016 service Because of a Missing
configuration file was Configuration Value
missing. The
AD FS 2016 Windows
Service failed to start.

Configuration: The AD FS 2016 Windows N/A No


Federation Service Service Failed to Start
encountered a on the Federation
configuration error. The Server Because of
AD FS 2016 Windows Configuration Errors
Service failed to start.

Configuration: The Service Configuration N/A If the failures


federation server failed Reload Error happen at least 3
to refresh its cache. times within 1 hour

Configuration database: SQL Configuration N/A No


The AD FS configuration Database Unavailable
database that is stored
in SQL Server is
unavailable.

Configuration database: AD FS 2016 Windows N/A No


The AD FS configuration Service Failed to Start
database could not be Because of
loaded correctly. The Configuration Load Error
AD FS 2016 Windows
Service failed to start.

Configuration database: Synchronization from N/A No

29
Sub-Scenario Rule/monitor name Alert suppression Event counting
Synchronization from the Configuration Database
AD FS configuration Failed
database failed.

Configuration database: SQL Notification N/A No


Failed to register Registration Error
notification to the SQL
database with the
connection string for the
cache type.

Endpoint: An error AD FS 2016 Windows N/A No


occurred during an Service Failed to Start
attempt to enable one or Because of an
more endpoints for this Exception
Federation Service. The
AD FS 2016 Windows
Service failed to start.

Service: The AD FS 2016 Windows N/A No


AD FS 2016 Windows Service Stopped on the
Service was stopped on Federation Server
the federation server.

Service restart: An error Service Host Restart N/A No


occurred during an Error
attempt to restart the
subservice.

SPN registration: The SPN Not Registered N/A No


SPN of the AD FS 2016
service account is not
registered correctly in
Active Directory.

Unexpected exception: Unhandled Exception N/A No


The Federation Service Error
encountered an
unexpected exception
error that resulted in the
AD FS 2016 Windows
Service being stopped.

30
General Federation Server Proxy Failures Scenario
The monitors/rules in the following table monitor the startup failures and other operation or
configuration failures on the federation server proxy computer.

Sub-Scenario Rule/monitor name Alert suppression Event counting

Endpoint: There are no No Endpoints N/A No


endpoints configured Configured for Proxy
for the federation
server proxy in the
Federation Service.

Endpoint: The Proxy Endpoints N/A If failures happen at


federation server proxy Retrieval Error least 20 times within
was not able to retrieve 15 minutes
the list of endpoints
from the Federation
Service.

Federation server Federation Server N/A If failures happen at


connection: The Connection Time-Out least 10 times within
federation server proxy half an hour
cannot reach the
federation server.

Federation server Federation Server N/A N/A


connection: The Proxy Connection Error
federation server proxy
cannot contact the
federation server.

Service: The AD FS 2016 Windows N/A No


AD FS 2016 Windows Service Stopped on
Service was stopped Federation Server
on the federation Proxy
server proxy.

Startup: The AD FS 2016 Windows N/A No


Federation Service Service Failed to Start
encountered a on the Federation
configuration error. The Server Proxy Because
AD FS 2016 Windows of Configuration Errors
Service failed to start.

Startup: The Federation Server N/A No


AD FS 2016 Windows Proxy Failed to Start

31
Sub-Scenario Rule/monitor name Alert suppression Event counting
Service could not be
started on the
federation server proxy.

Trust: The federation Federation Server SSL N/A No


server proxy could not Certificate Not Trusted
establish a trust
relationship for the SSL
channel with the
federation server.

Trust: The federation Federation Server N/A No


server proxy failed to Proxy Not Trusted by
authenticate to the the Federation Server
federation server.

Trust: The federation Federation Server N/A No


server proxy could not Proxy Failed to
establish a trust with Establish Trust
the Federation Service.

Trust: The federation Federation Server N/A If failures happen at


server proxy could not Proxy Failed to Renew least 6 times within
renew its trust with the Trust 1.5 day
Federation Service.

Known Issues
This section describes the known issues that are related to setting up the Active Directory
Federation Services (AD FS) Management Pack. If you cannot set up the management pack
properly, you may have to:
 Run the commands net stop healthservice and net start healthservice at a command
prompt on the MOM computer in situations in which you have reimported the management
pack.
 Disable IP version 6 (IPV6) on the agent computer that is running AD FS. For more
information, see How to disable certain Internet Protocol version 6 (IPv6) components in
Windows Vista, Windows 7, and Windows Server 2008.

Appendix: Scripts
The following table describes all the scripts that are included in the Active Directory Federation
Services (AD FS) Management Pack.
32
Script Purpose Rule/Task

FederationServerDiscovery.ps1 Runs on the Federation


federation Server
server discovery
computer
and checks
for
federation
server
discovery

FederationServerProxyDiscovery.ps1 Runs on the Federation


federation Server
server proxy Proxy
and checks discovery
for
federation
server proxy
discovery

FederationServerProxyToServerCommunicationCheck.ps1 Runs on the Federation


federation Server
server proxy Proxy
computer Connection
and queries Error
the
federation
metadata
XML from
the
federation
server
computer

FederationServerProxyMEXEndpointCheck.ps1 Runs on the Proxy MEX


federation Endpoint Is
server proxy Unreachabl
computer e
and queries
the Proxy
MEX
endpoint in
the

33
Script Purpose Rule/Task
Federation
Service

FederationServerProxyWebsitesIISCheck.ps1 Runs on the AD FS


federation Application
server proxy Pool Is Not
computer Running on
and checks the
to see if the Federation
IIS service is Server
running and Proxy
if the
ADFSAppPo
ol
application
pool is
running on
the proxy
computer

FederationServerProxyWebsitesIISVDirCheck.ps1 Runs on the Federation


federation Passive
server proxy Web Site
computer Application
and checks Is Missing
to see if the on the
FedPassive Federation
virtual Server
directory Proxy
exists on the
proxy
computer

FederationServerProxyWebsitesSSLCertFutureExpiryCheck.ps1 Runs on the SSL


federation Certificate
server proxy Warning on
computer the
and checks Federation
to see if the Server
SSL Proxy
certificate
configured
will expire in

34
Script Purpose Rule/Task
20 days or
less on the
proxy
computer

FederationServerProxyWebsitesSSLCertValidityCheck.ps1 Runs on the SSL


federation Certificate
server proxy Error on the
computer Federation
and checks Server
to see if the Proxy
configured
SSL
certificate
has expired
or has been
revoked on
the proxy
computer

FederationServerProxyWebsitesSSLCertRevocationCheckFailureC Runs on the SSL


heck.ps1 federation Certificate
server proxy Revocation
computer Check Error
and checks on the
to see if the Federation
SSL Server
certificate Proxy
revocation
check can
be made
successfully
on the proxy
computer

FederationServerRemoteSQLServerPing.ps1 Runs on the SQL


federation Configurati
server on
computer Database
and does a Unavailable
network ping
on the SQL
Server

35
Script Purpose Rule/Task
computer
that hosts
the AD FS
configuration
database

FederationServerSPNCheck.ps1 Runs on the SPN Not


federation Registered
server and
checks if the
correct SPN
is configured
for the
AD FS
service
account

FederationServerMEXEndpointCheck.ps1 Runs on the MEX


federation Endpoint Is
server Unreachabl
computer e
and queries
the MEX
endpoint in
the
Federation
Service

FederationServerWebsitesIISCheck.ps1 Runs on the AD FS


federation Application
server Pool Is Not
computer Running on
and checks the
to see if the Federation
IIS service is Server
running and
if the
ADFSAppPo
ol
application
pool is
running on
the

36
Script Purpose Rule/Task
federation
server

FederationServerProxyWebsitesIISVDirCheck.ps1 Runs on the Federation


federation Passive
server Web Site
computer Application
and checks Is Missing
to see if the on the
adfs\ls Federation
virtual Server
directory that
represents
the
federation
passive Web
site exists on
the
federation
server
computer

FederationServerWebsitesSSLCertFutureExpiryCheck.ps1 Runs on the SSL


federation Certificate
server Warning on
computer the
and checks Federation
to see if the Server
configured
SSL
certificate
will expire in
20 days or
less on the
federation
server
computer

FederationServerWebsitesSSLCertValidityCheck.ps1 Runs on the SSL


federation Certificate
server Error on the
computer Federation
and checks Server

37
Script Purpose Rule/Task
to see if the
configured
SSL
certificate
has expired
or has been
revoked on
the
federation
server
computer

FederationServerWebsitesSSLCertRevocationCheckFailureCheck.p Runs on the SSL


s1 federation Certificate
server Revocation
computer Check Error
and checks on the
to see if the Federation
SSL Server
certificate
revocation
check can
be made
successfully
on the
federation
server
computer

TrustManagementAutoUpdateSkippedWithWarningCheck.ps1 Runs on the Automatic


federation Update of
server and the Trust
checks if the Was
automatic Disabled
update
setting of
federation
metadata for
one or more
trust
configuration
s has been
disabled in

38
Script Purpose Rule/Task
the
Federation
Service

39