AD FS Diagnostics Module

The AD FS Diagnostics Module contains commandlets to gather configuration information of an AD FS server, as well as commandlets to perform health checks to detect configuration issues based on common root causes identified during support engagements such as duplicate SPN, certificates not found, DNS records, etc.

Some examples below:

PowerShell

Edit|Remove

#Get information about the system
Get-AdfsSystemInformation

#Get information about the AD FS farm deployment
Get-AdfsServerConfiguration 

#Perform health checks
Test-AdfsServerHealth | ft Name,Result  -AutoSize

#Get only the tests that failed
Test-AdfsServerHealth | where {$_.Result -eq "Fail"} | fl

#Synthetic transaction to request a token with windows integrated authentication against the Azure Active Directory Relying Party 
Test-AdfsServerToken -federationServer fs.yourdomain.com -appliesTo urn:federation:MicrosoftOnline

#Synthetic transaction to request a token with username/password credential against the Azure Active Directory Relying Party 
Test-AdfsServerToken -federationServer fs.yourdomain.com -appliesTo urn:federation:MicrosoftOnline -credential (Get-Credential)

#output the claims in the powershell pipeline
$token = [Xml](Test-AdfsServerToken -federationServer localhost -appliesTo urn:federation:MicrosoftOnline)
$token.Envelope.Body.RequestSecurityTokenResponse.RequestedSecurityToken.Assertion.AttributeStatement.Attribute | ft

#get the events based on a activity ID
Get-AdfsServerTrace -activityId $activityId 

#get the events based on a activity ID, save as HTML file
Get-AdfsServerTrace -activityId $activityId -outHtmlFile .\Report.htm

#Get information about the system 
Get-AdfsSystemInformation 
 
#Get information about the AD FS farm deployment 
Get-AdfsServerConfiguration  
 
#Perform health checks 
Test-AdfsServerHealth | ft Name,Result  -AutoSize 
 
#Get only the tests that failed 
Test-AdfsServerHealth | where {$_.Result -eq "Fail"} | fl 
 
#Synthetic transaction to request a token with windows integrated authentication against the Azure Active Directory Relying Party  
Test-AdfsServerToken -federationServer fs.yourdomain.com -appliesTo urn:federation:MicrosoftOnline 
 
#Synthetic transaction to request a token with username/password credential against the Azure Active Directory Relying Party  
Test-AdfsServerToken -federationServer fs.yourdomain.com -appliesTo urn:federation:MicrosoftOnline -credential (Get-Credential) 
 
#output the claims in the powershell pipeline 
$token = [Xml](Test-AdfsServerToken -federationServer localhost -appliesTo urn:federation:MicrosoftOnline) 
$token.Envelope.Body.RequestSecurityTokenResponse.RequestedSecurityToken.Assertion.AttributeStatement.Attribute | ft 
 
#get the events based on a activity ID 
Get-AdfsServerTrace -activityId $activityId  
 
#get the events based on a activity ID, save as HTML file 
Get-AdfsServerTrace -activityId $activityId -outHtmlFile .\Report.htm

Examples of the health check output

PowerShell

Edit|Remove

Name                                     Result Detail                                                                            
----                                     ------ ------                                                                            
IsAdfsRunning                              Pass                                                                                   
IsWidRunning                               Pass                                                                                   
PingFederationMetadata                     Pass                                                                                   
CheckCertificatesAvailable                 Pass                                                                                   
CheckCertificatesPrivateKey                Pass                                                                                   
CheckAdfsSslBindings                       Pass                                                                                   
CheckCertificatesKeyUsage                  Fail Certificate Usage: Token-Decrypting...                                            
CheckCertificatesExpired                   Pass                                                                                   
CheckCertificatesAboutToExpire             Pass                                                                                   
CheckCertificatesSslSelfSigned             Pass                                                                                   
CheckCertificatesAvailable-Secondary       Pass                                                                                   
CheckCertificatesPrivateKey-Secondary      Pass                                                                                   
CheckAdfsSslBindings-Secondary             Pass                                                                                   
CheckCertificatesKeyUsage-Secondary        Pass                                                                                   
CheckCertificatesExpired-Secondary         Pass                                                                                   
CheckCertificatesAboutToExpire-Secondary   Pass                                                                                   
CheckCRLAccess-Service-Communications      Pass Thumbprint: F31F254C7A5BC1DAD35CD9843C6F12F5F5FB7ADB...                           
CheckCRLAccess-Token-Decrypting            Pass Thumbprint: 01FDA170570651C73AACC8599423310C9935E9D1...                           
CheckCRLAccess-Token-Signing               Pass Thumbprint: F31F254C7A5BC1DAD35CD9843C6F12F5F5FB7ADB...                           
CheckCRLAccess-SSL                         Pass Thumbprint: F31F254C7A5BC1DAD35CD9843C6F12F5F5FB7ADB...                           
CheckCRLAccess-SSL                         Pass Thumbprint: F31F254C7A5BC1DAD35CD9843C6F12F5F5FB7ADB...                           
CheckCRLAccess-SSL                         Pass Thumbprint: F31F254C7A5BC1DAD35CD9843C6F12F5F5FB7ADB...                           
CheckCRLAccess-SSL                         Pass Thumbprint: F31F254C7A5BC1DAD35CD9843C6F12F5F5FB7ADB...                           
CheckFarmDNSHostResolution                 Pass                                                                                   
CheckDuplicateSPN                          Pass Found SPN in object: CN=fssvc,CN=Users,DC=adfsonpremV2,DC=info                    
TestServiceAccountProperties               Pass                                                                                   
TestAppPoolIDMatchesServiceID            NotRun Test only to be run on ADFS 2.0                                                   
TestComputerNameEqFarmName                 Pass                                                                                   
TestSSLUsingADFSPort                     NotRun Test only to be run on ADFS 2.0 Machine                                           
TestSSLCertSubjectContainsADFSFarmName     Pass                                                                                   
TestAdfsRequestToken                       Pass Token Received: <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" x...
CheckOffice365Endpoints                    Fail Lync related endpoint are not configured properly, extranet users can experienc...
TestADFSO365RelyingParty                   Pass

Name                                     Result Detail                                                                             
----                                     ------ ------                                                                             
IsAdfsRunning                              Pass                                                                                    
IsWidRunning                               Pass                                                                                    
PingFederationMetadata                     Pass                                                                                    
CheckCertificatesAvailable                 Pass                                                                                    
CheckCertificatesPrivateKey                Pass                                                                                    
CheckAdfsSslBindings                       Pass                                                                                    
CheckCertificatesKeyUsage                  Fail Certificate Usage: Token-Decrypting...                                             
CheckCertificatesExpired                   Pass                                                                                    
CheckCertificatesAboutToExpire             Pass                                                                                    
CheckCertificatesSslSelfSigned             Pass                                                                                    
CheckCertificatesAvailable-Secondary       Pass                                                                                    
CheckCertificatesPrivateKey-Secondary      Pass                                                                                    
CheckAdfsSslBindings-Secondary             Pass                                                                                    
CheckCertificatesKeyUsage-Secondary        Pass                                                                                    
CheckCertificatesExpired-Secondary         Pass                                                                                    
CheckCertificatesAboutToExpire-Secondary   Pass                                                                                    
CheckCRLAccess-Service-Communications      Pass Thumbprint: F31F254C7A5BC1DAD35CD9843C6F12F5F5FB7ADB...                            
CheckCRLAccess-Token-Decrypting            Pass Thumbprint: 01FDA170570651C73AACC8599423310C9935E9D1...                            
CheckCRLAccess-Token-Signing               Pass Thumbprint: F31F254C7A5BC1DAD35CD9843C6F12F5F5FB7ADB...                            
CheckCRLAccess-SSL                         Pass Thumbprint: F31F254C7A5BC1DAD35CD9843C6F12F5F5FB7ADB...                            
CheckCRLAccess-SSL                         Pass Thumbprint: F31F254C7A5BC1DAD35CD9843C6F12F5F5FB7ADB...                            
CheckCRLAccess-SSL                         Pass Thumbprint: F31F254C7A5BC1DAD35CD9843C6F12F5F5FB7ADB...                            
CheckCRLAccess-SSL                         Pass Thumbprint: F31F254C7A5BC1DAD35CD9843C6F12F5F5FB7ADB...                            
CheckFarmDNSHostResolution                 Pass                                                                                    
CheckDuplicateSPN                          Pass Found SPN in object: CN=fssvc,CN=Users,DC=adfsonpremV2,DC=info                     
TestServiceAccountProperties               Pass                                                                                    
TestAppPoolIDMatchesServiceID            NotRun Test only to be run on ADFS 2.0                                                    
TestComputerNameEqFarmName                 Pass                                                                                    
TestSSLUsingADFSPort                     NotRun Test only to be run on ADFS 2.0 Machine                                            
TestSSLCertSubjectContainsADFSFarmName     Pass                                                                                    
TestAdfsRequestToken                       Pass Token Received: <s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" x... 
CheckOffice365Endpoints                    Fail Lync related endpoint are not configured properly, extranet users can experienc... 
TestADFSO365RelyingParty                   Pass