When i try to run this script it says it is not signed, on customers who set thier policy to allow only RemoteSigned scripts this is an issue. Am i doing something wrong or should we expect scripts to be signed especially when they are publicised by microsoft?

Issue by bongiovimatthew-microsoft
Wednesday Nov 29, 2017 at 23:39 GMT
Originally opened as microsoft/adfsLogTools#8

bongiovimatthew-microsoft included the following code: https://github.com/Microsoft/adfsLogTools/pull/8/commits

Issue by madhavpatel6
Friday Apr 20, 2018 at 20:47 GMT
Originally opened as microsoft/adfsManagementTools#7

madhavpatel6 included the following code: https://github.com/Microsoft/adfsManagementTools/pull/7/commits

Issue by bongiovimatthew-microsoft
Saturday Feb 10, 2018 at 01:42 GMT
Originally opened as microsoft/adfsLogTools#12

There is a TODO item in the code:

function: Process-EventsForAnalysis

TODO: Use for error

We should include the 411 audit data in the timeline analysis to show that token validation failed

Issue by madhavpatel6
Friday Jun 08, 2018 at 00:08 GMT
Originally opened as microsoft/adfsManagementTools#10

The encoding on the AD FS Metadata endpoint is not specified as a result the Web-Client assumes ISO 8859-1. This is an issue for servers in a different locale.

madhavpatel6 included the following code: https://github.com/Microsoft/adfsManagementTools/pull/10/commits

Issue by bongiovimatthew-microsoft
Wednesday Feb 07, 2018 at 23:46 GMT
Originally opened as microsoft/adfsLogTools#9

Fiddler captures HTTP requests and saves a set of files that can be parsed. Details on Fiddler serialization

The EventLog script can do the following steps to get the logs associated with the requests in a Fiddler trace:

1. Open "raw" folder in the Fiddler .saz file, find all <sessid#>_c.txt files
2. Locate the client requests to ADFS (parse the requests for URLs containing "adfs/ls")
3. Pull out the "client-request-id" query string parameter (might need to also look in _s.txt in the case where the server returns the ID, but the client never redirects with it)
4. Send the correlation ID to Get-ADFSEvents to collect the events associated with the current request
5. Repeat 1-4 for each independent correlation ID that gets discovered (as a Fiddler trace could contain multiple requests)

The current script should be altered to include a -FiddlerTrace parameter, which takes the filepath to the Fiddler trace.

An example execution would be:

Get-ADFSEvents -Logs Security, Admin, Debug -FiddlerTrace c:\fiddlerTrace.saz -Server *

Running on W2012R2 ADFS 3.0 - every upload results in the error "The diagnostics file is invalid."

Issue by reed1995
Thursday Sep 21, 2017 at 03:54 GMT
Originally opened as microsoft/adfsLogTools#2

Fixed stylisitc issues and added more detailed descriptions

reed1995 included the following code: https://github.com/Microsoft/adfsLogTools/pull/2/commits

Issue by rattuscz
Tuesday May 22, 2018 at 13:36 GMT
Originally opened as microsoft/adfsLogTools#16

As we still have some older servers with adfs 2.0, the log for those is not "AD FS/Admin" and "AD FS Tracing/Debug" but "AD FS 2.0/Admin" and "AD FS 2.0 Tracing/Debug"

I was not able to list those logs using Get-EventLog so I was checking for existence via

if ($null -ne (Get-WinEvent -LogName "AD FS 2.0/Admin" -MaxEvents 1 -ErrorAction Ignore) ) {
    $Log = "AD FS 2.0/Admin"
}

Not sure this is correct practice, or how it should be correctly handled.

I can make PR for 2.0 support but need a guidance how to correctly check it :-)

After installing the module on a Windows Server 2019 running ADFS, only a limited number of commands are available. See the attached screenshot.

There are important files that Microsoft projects should all have that are not present in this repository. A pull request has been opened to add the missing file(s). When the pr is merged this issue will be closed automatically.

Microsoft teams can learn more about this effort and share feedback within the open source guidance available internally.

Merge this pull request

This module wrongly assumes that the samAccountName is substring of the userPrincipalName before the '@'. However, this is not always true. A user or service account can have the userPrincipalName [email protected] but the samAccountName can be completely different, e.g. i-am-a-serviceaccou.

In addition to that, in Active Directory the samAccountname is limited to 20 characters. Another limitation that is ignored.

If we follow the example above, the assumptions made in the code would lead the module to wrongfully report unhealthy configurations.

Some wrong parts in the code are

Here $serviceAccount may return a userPrincipalName. The following setspn command will return the error FindDomainForAccount: Call to DsGetDcNameWithAccountW failed with return value 0x00000525; Could not find account [email protected]

$serviceAccount = (gwmi win32_service -filter "name='adfssrv'").StartName;
# [...]
[array]$serviceAccountSPN = setspn -L $serviceAccount;

https://github.com/microsoft/adfsToolbox/blob/master/diagnosticsModule/Private/AdfsConfiguration.ps1#L59

Here you assume that the samAccountName is simply the part in the userPrincipalName before the '@', which may be a lucky guess, but is technical false.

$serviceSamAccountName = $serviceAccountPartsUpn[0]
$serviceAccountDomain = TryGetDomainNameFromUpn $adfsServiceAccount
if ($serviceAccountDomain)
{
    $adfsServiceAccountFormatted = "$serviceAccountDomain\$serviceSamAccountName"
}

https://github.com/microsoft/adfsToolbox/blob/master/diagnosticsModule/Private/AdfsHealthChecks.ps1#L380

A possible solution would be to use Get-ADUser cmdlet.

$u = Get-ADUser -Filter "samaccountname -eq '$serviceAccount'"
if (!$u) {
   Get-ADUser -Filter "userPrincipalName -eq '$serviceAccount'"
}

Those are just two of many wrong parts in the code where those assumptions are made.

The PowerShell team changed the functionality of GetVersionEx and [System.Environment]::OSVersion.Version uses that underneath. This seems to only be an issue for WS 2012 R2 PowerShell ISE users.

Issue by madhavpatel6
Monday Jul 16, 2018 at 19:29 GMT
Originally opened as microsoft/adfsManagementTools#13

madhavpatel6 included the following code: https://github.com/Microsoft/adfsManagementTools/pull/13/commits

Issue by rattuscz
Tuesday May 22, 2018 at 13:21 GMT
Originally opened as microsoft/adfsLogTools#15

Allows to specify different credentials for remote server connections

rattuscz included the following code: https://github.com/Microsoft/adfsLogTools/pull/15/commits

I have experienced an error in the following snippet of the code (around line 1022):
# Check for UPN style old name and convert to domain\username for SPN work items
If ($OldName.ToString() -match "@") { $OldName = ($OldName.Split("@")[1]).ToString() + "" + ($OldName.Split("@")[0]).ToString() Write-Host "tUsing $OldName in order to meet SPN requirements" -ForegroundColor "gray"
($ElapsedTime.Elapsed.ToString())+" [INFO] Using $OldName in order to meet SPN requirements" | Out-File $LogPath -Append
}

The error occurred because the old ADFS Service user was in the UPN format AND the domain part is not the same domain to use in the format 'domain\user'.

To solve, I need to change the user format in ADFS Service to 'domain\user' before to run the script again.

Issue by bongiovimatthew-microsoft
Thursday May 24, 2018 at 21:40 GMT
Originally opened as microsoft/adfsLogTools#18

bongiovimatthew-microsoft included the following code: https://github.com/Microsoft/adfsLogTools/pull/18/commits

Issue by bongiovimatthew-microsoft
Saturday Feb 10, 2018 at 01:42 GMT
Originally opened as microsoft/adfsLogTools#13

The following TODO item exists in the code:

function: Get-AdfsEvents

TODO: Add warning if environment is not Win2016

If the * was used for the -Server flag, but the environment is not Win2016 or higher, we should issue a warning, and use the default "LocalHost" for the -Server flag

Issue by rattuscz
Monday May 28, 2018 at 16:51 GMT
Originally opened as microsoft/adfsLogTools#20

Initial try to bring script to PS 2.0 compatible version - as our ADFS 2.0 are also PS2.0 😢

Analytics part still does not work - ConvertFrom-Json not in ps2

Not sure if this PS2.0 compatibility is even desirable in main branch, maybe as a separate?
Anyway looking for feedback

rattuscz included the following code: https://github.com/Microsoft/adfsLogTools/pull/20/commits

Issue by bongiovimatthew-microsoft
Saturday Feb 10, 2018 at 01:40 GMT
Originally opened as microsoft/adfsLogTools#11

The following TODO item exists in the code:

function: Process-EventsForAnalysis

TODO: Validate that all events have the same correlation ID, or no correlation ID

When we do the first pass through the events to build the hashtable of instance IDs, we should validate the correlation IDs

Put up a warning if we ever see an event with a different correlation ID (it's okay for it to have no correlation ID)

Issue by madhavpatel6
Thursday Apr 19, 2018 at 18:59 GMT
Originally opened as microsoft/adfsManagementTools#6

• Added pester tests
• Fixed minor bugs

madhavpatel6 included the following code: https://github.com/Microsoft/adfsManagementTools/pull/6/commits

Issue by bongiovimatthew-microsoft
Wednesday Feb 14, 2018 at 23:57 GMT
Originally opened as microsoft/adfsManagementTools#1

Issue by bongiovimatthew-microsoft
Tuesday Sep 19, 2017 at 18:22 GMT
Originally opened as microsoft/adfsLogTools#1

bongiovimatthew-microsoft included the following code: https://github.com/Microsoft/adfsLogTools/pull/1/commits

Issue by TspringMSFT
Wednesday Nov 15, 2017 at 14:51 GMT
Originally opened as microsoft/adfsLogTools#6

Added 2 functions: Enable-ADFSAuditing, and Disable-ADFSAuditing. Tested on ADFS 2012R2 and 2016. And on SQL and WID config.

TspringMSFT included the following code: https://github.com/Microsoft/adfsLogTools/pull/6/commits

Issue by rattuscz
Monday May 28, 2018 at 14:36 GMT
Originally opened as microsoft/adfsLogTools#19

related #16
Well I've ended up on this "solution".

Basically we need to evaluate available logs on the remote machines themselves, then replace "AD FS" with "AD FS 2.0" in log name, provider and also in query.

This is due to strings formatted before the log/provider name is sent to remote server ( MakeQuery receives already processed query and log.

Also not sure about using hardcoded strings in replacement, but using $script on remote would mean to either pass them all as params OR prepopulate the session with them before calling MakeQuery
Due to this I believe hardcoding AD FS 2.0 is a bit better as it's legacy and thus is not likely to ever change again.

Suggestions welcome in any way :-)

rattuscz included the following code: https://github.com/Microsoft/adfsLogTools/pull/19/commits

Issue by bongiovimatthew-microsoft
Thursday Nov 16, 2017 at 00:47 GMT
Originally opened as microsoft/adfsLogTools#7

bongiovimatthew-microsoft included the following code: https://github.com/Microsoft/adfsLogTools/pull/7/commits

Issue by reed1995
Tuesday Oct 31, 2017 at 16:57 GMT
Originally opened as microsoft/adfsLogTools#5

reed1995 included the following code: https://github.com/Microsoft/adfsLogTools/pull/5/commits

Issue by reed1995
Thursday Oct 26, 2017 at 16:51 GMT
Originally opened as microsoft/adfsLogTools#4

Wasn't being treated as array if only 1 item returned

reed1995 included the following code: https://github.com/Microsoft/adfsLogTools/pull/4/commits

Issue by msalim
Friday Jul 13, 2018 at 23:20 GMT
Originally opened as microsoft/adfsManagementTools#12

msalim included the following code: https://github.com/Microsoft/adfsManagementTools/pull/12/commits

1. Function GenerateSQLScripts
   ADFS 2012 database name "AdfsConfiguration" is hardcoded in line 437
   It is a bug, DB update will fail on newer ADFS version
   2016 - AdfsConfigurationV3 and 2019 - AdfsConfigurationV4

2. Function Set-CertificateSharingContainerSecurity
   note: requires domain admin permissions
   ADFS property $ADFSProperties.CertificateSharingContainer will be always $null when running without domain admin rights
   Service account permissions set by this function grant: #GenericRead , #CreateChild , #WriteProperty , #Self
   are different to permissions in this script
   https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/install-ad-fs-delegated-admin#script-for-preparing-ad : #GenericRead , #CreateChild , #WriteProperty, #WriteOwner , #DeleteTree , #WriteDACL
   Which permissions are the right one?

3. old service account SID in ServiceSettingsData configuration after change
   after service account change SID of old account still exists in configuration data in:
   <SecurityTokenService>....
<AllowedOnBehalfOfCallers><Sid>S-1-5-21-xxxxxxxx.....</Sid></AllowedOnBehalfOfCallers>....
</SecurityTokenService>
   No idea what is it about, but definitely looks strange. https://learn.microsoft.com/en-us/dotnet/api/microsoft.identityserver.policymodel.configuration.stsconfiguration.allowedonbehalfofcallers?view=adfs-2019#microsoft-identityserver-policymodel-configuration-stsconfiguration-allowedonbehalfofcallers

As of 7/31/2019, we have migrated the diagnosticsModule from PowerShell to C# into a new repository. As a consequence of this change, the new repository is not publically available; however, we will still be making improvements to ADFSToolbox and releasing them here. This repository will remain public, but will not be actively maintained. ADFSToolbox is still being actively worked on and can be installed from here.

Like this message or respond if you think we should invest in open sourcing the new version of ADFSToolbox

Issue by maweeras-msft
Friday May 11, 2018 at 14:28 GMT
Originally opened as microsoft/adfsManagementTools#8

If an AD FS farm has been hardened for TLS by disabling TLS1.0, TLS 1.1 as per https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs then the Test-AdfsServerToken will fail as invoke-webrequest uses TLS 1.0 by default.

PS C:\WINDOWS\system32> $error[0] | fl * -f


PSMessageDetails      :
Exception             : System.Net.WebException: The underlying connection was closed: An unexpected error occurred on
                        a send. ---> System.IO.IOException: Unable to read data from the transport connection: An
                        existing connection was forcibly closed by the remote host. --->
                        System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote
                        host
                           at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
                           --- End of inner exception stack trace ---
                           at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
                           at System.Net.FixedSizeReader.ReadPacket(Byte[] buffer, Int32 offset, Int32 count)
                           at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest
                        asyncRequest)
                           at System.Net.Security.SslState.CheckCompletionBeforeNextReceive(ProtocolToken message,
                        AsyncProtocolRequest asyncRequest)
                           at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer,
                        AsyncProtocolRequest asyncRequest)
                           at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
                           at System.Threading.ExecutionContext.RunInternal(ExecutionContext executionContext,
                        ContextCallback callback, Object state, Boolean preserveSyncCtx)
                           at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback
                        callback, Object state, Boolean preserveSyncCtx)
                           at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback
                        callback, Object state)
                           at System.Net.TlsStream.ProcessAuthentication(LazyAsyncResult result)
                           at System.Net.TlsStream.Write(Byte[] buffer, Int32 offset, Int32 size)
                           at System.Net.ConnectStream.WriteHeaders(Boolean async)
                           --- End of inner exception stack trace ---
                           at Microsoft.PowerShell.Commands.WebRequestPSCmdlet.GetResponse(WebRequest request)
                           at Microsoft.PowerShell.Commands.WebRequestPSCmdlet.ProcessRecord()
TargetObject          : System.Net.HttpWebRequest
CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException
FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
ErrorDetails          :
InvocationInfo        : System.Management.Automation.InvocationInfo
ScriptStackTrace      : at Test-AdfsServerToken, C:\Program
                        Files\WindowsPowerShell\Modules\ADFSDiagnostics\1.1.0\Public\Test-AdfsServerToken.ps1: line 79
                        at <ScriptBlock>, <No file>: line 1
PipelineIterationInfo : {}

As a workaround setting TLS1.2 to be used like so then makes this cmdlet work.

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

Can we have the logic for the cmdlet updated to handle the error and use TLS 1.2 if required?

Issue by reed1995
Wednesday Oct 25, 2017 at 17:00 GMT
Originally opened as microsoft/adfsLogTools#3

Replaced process block with foreach. Also addressed issue of events not being grouped together if only a single correlation id provided.

reed1995 included the following code: https://github.com/Microsoft/adfsLogTools/pull/3/commits

Issue by madhavpatel6
Friday Mar 23, 2018 at 20:43 GMT
Originally opened as microsoft/adfsManagementTools#3

- Refactored existing code
- Added new test cases related to WAP and ADFS
	- Checking trusted devices certificate store
	- Checking ADFS Patches
	- Checking the service principal name
	- Checking that the ADFS proxy service
	- Checking that there are no Non-Self-Signed certificates in the
	root store
	- Checking the Proxy SSL bindings
- Added new error result type that will be used to indicate when
something unexpected happened

madhavpatel6 included the following code: https://github.com/Microsoft/adfsManagementTools/pull/3/commits

Test if Root certificates are located in the intermediate store and vice versa.

$rootconflicts = Get-ChildItem Cert:\LocalMachine\Root | Where-Object { $.Issuer -ne $.Subject }
$conflicts = Get-ChildItem Cert:\LocalMachine\CA | Where-Object { $.Issuer -eq $.Subject }

Source:
https://davidmcwee.com/2018/02/27/adfs-certificate-authentication-and-a-dirty-certificate-store/

Issue by madhavpatel6
Monday May 21, 2018 at 17:09 GMT
Originally opened as microsoft/adfsManagementTools#9

• Addressed issue #8
• Fixed bug in TestProxyTrustPropagation
• Updated method to run tests

madhavpatel6 included the following code: https://github.com/Microsoft/adfsManagementTools/pull/9/commits

Issue by madhavpatel6
Tuesday Mar 13, 2018 at 20:51 GMT
Originally opened as microsoft/adfsManagementTools#2

Restructured module into separate files
Fixed trailing white-spaces
Converted tabs to spaces

madhavpatel6 included the following code: https://github.com/Microsoft/adfsManagementTools/pull/2/commits

Issue by madhavpatel6
Wednesday Apr 11, 2018 at 18:07 GMT
Originally opened as microsoft/adfsManagementTools#5

• Added new ADFS and WAP tests
• Updated Test-AdfsServerHealth to enable remote test execution
• Updated return type of Test-AdfsServerHealth to be easier to handle

madhavpatel6 included the following code: https://github.com/Microsoft/adfsManagementTools/pull/5/commits

Issue by bongiovimatthew-microsoft
Thursday Feb 08, 2018 at 19:06 GMT
Originally opened as microsoft/adfsLogTools#10

bongiovimatthew-microsoft included the following code: https://github.com/Microsoft/adfsLogTools/pull/10/commits

It appears WAP Export bug was re-introduced in version 1.0.4

Export works OK in verison 1.03

PS C:\Utils> Export-AdfsDiagnosticsFile -sslThumbprint "########################" -Verbose
VERBOSE: Export-AdfsDiagnosticsFile: Creating file ADFSDiagnosticsFile-20180926141632.json
VERBOSE: GenerateJSONDiagnosticData: Generating diagnostic data
VERBOSE: GenerateDiagnosticData: Binding each argument to relevant cmdlets
VERBOSE: GenerateDiagnosticData: Attempting to run cmdlet Test-AdfsServerHealth
Performing applicable health checks on your WAP server.
VERBOSE: IsTlsVersionEnabled: Checking if TLS 1.0 is enabled
VERBOSE: IsTlsVersionEnabled: The registry key for this TLS version does not exist at HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0
VERBOSE: IsTlsVersionEnabled: Checking if TLS 1.1 is enabled
VERBOSE: IsTlsVersionEnabled: The registry key for this TLS version does not exist at HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1
VERBOSE: IsTlsVersionEnabled: Checking if TLS 1.2 is enabled
VERBOSE: IsTlsVersionEnabled: The registry key for this TLS version does not exist at HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2
VERBOSE: TestTimeSync: Checking time synchronization.
VERBOSE: TestTimeSync: Detected that the current server is a WAP server.
VERBOSE: IsServerTimeInSyncWithReliableTimeServer: Comparing server time with reliable time server
VERBOSE: GET http://nist.time.gov/actualtime.cgi?lzbc=siqm9b with 0-byte payload
VERBOSE: received 62-byte response of content type text/xml
VERBOSE: IsServerTimeInSyncWithReliableTimeServer: Current reliable time server time UTC 09/26/2018 13:16:34
VERBOSE: IsServerTimeInSyncWithReliableTimeServer: Current server time UTC 09/26/2018 13:16:33
VERBOSE: IsServerTimeInSyncWithReliableTimeServer: Time difference in seconds 1
VERBOSE: TestProxySslBindings: Parameter AdfsSslThumbprint = c7f41c20872c8d856f912f10ddb58882ef34a468
VERBOSE: TestProxySslBindings: Attempting to get federation service name.
VERBOSE: TestProxySslBindings: Retrieved federation service name: signon.impellam.com.
VERBOSE: TestProxySslBindings: Retrieved ADFS Port: 443 TLS Port: 49443
VERBOSE: TestProxySslBindings: Attempting to validate expected SSL bindings.
VERBOSE: IsSslBindingValid: Validating SSL binding for signon.impellam.com:443.
VERBOSE: IsSslBindingValid: Successfully validated SSL binding for signon.impellam.com:443.
VERBOSE: IsSslBindingValid: Validating SSL binding for signon.impellam.com:49443.
VERBOSE: IsSslBindingValid: Successfully validated SSL binding for signon.impellam.com:49443.
Successfully completed all health checks.
GenerateDiagnosticData : Error running cmdlet ADFSToolbox\Test-AdfsServerHealth -sslThumbprint $sslThumbprint: Cannot find an overload for "TestResultsContainer" and the argument
count: "1".
At C:\Program Files\WindowsPowerShell\Modules\adfsToolbox-1.0.3\diagnosticsModule\Private\HelperUtilities.ps1:690 char:23

• ... osticData = GenerateDiagnosticData -includeTrusts:$includeTrusts -ssl ...

•             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
  • FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,GenerateDiagnosticData

VERBOSE: GenerateJSONDiagnosticData: Successfully generated diagnostic data
VERBOSE: Export-AdfsDiagnosticsFile: Outputting diagnostic data at C:\Utils\ADFSDiagnosticsFile-20180926141632.json
Please upload the diagnostic file located at C:\Utils\ADFSDiagnosticsFile-20180926141632.json to https://adfshelp.microsoft.com/DiagnosticsAnalyzer/Analyze.

Issue by reed1995
Friday Mar 30, 2018 at 18:11 GMT
Originally opened as microsoft/adfsManagementTools#4

Service account script updated to work on adfs 2016 and later

reed1995 included the following code: https://github.com/Microsoft/adfsManagementTools/pull/4/commits

Issue by tquerec
Friday Jun 08, 2018 at 18:09 GMT
Originally opened as microsoft/adfsManagementTools#11

tquerec included the following code: https://github.com/Microsoft/adfsManagementTools/pull/11/commits

Issue by reed1995
Monday Feb 12, 2018 at 19:22 GMT
Originally opened as microsoft/adfsLogTools#14

Fixed multiple server bug

reed1995 included the following code: https://github.com/Microsoft/adfsLogTools/pull/14/commits

Issue by bongiovimatthew-microsoft
Tuesday May 22, 2018 at 16:26 GMT
Originally opened as microsoft/adfsLogTools#17

The first three functions in the file are repeated, and should be removed:

• Enable-ADFSAuditing

• Disable-ADFSAuditing

• Set-ADFSAuditingRemote

If a customer is using Azure MFA with ADFS, they configure an auth cert per ADFS node that gets used for authenticating that ADFS node to the Azure MFA server. (Details here).

It would be good to validate these certs, and also ensure that there is one per every node in the farm.