I am often asked by my boss, hey can you tell me if AppManager is capable of monitoring ADFS? I used to tell him that yes it can be done, but there is no module for ADFS rather the base infrastructure that can be used for monitoring. This is an interesting scenario for times when there is no monitoring solution available in AppManager specific to the application, but you know you can use the base monitoring to do almost everything. So here’s my solution for monitoring ADFS using AppManager infrastructure monitoring.

Active Directory Federation Services (ADFS) monitoring consists of three parts which are ADFS components, Server and Network performance, and ADFS performance counters. I will explain at each level what to monitor using the AppManager infrastructure.

In the first part, the ADFS components, you need to monitor the Federation Service, such as adfssrv to check if it’s running or not. This can be done using “ServiceDown” KS from the WinOS module.

You can also run the “General_EventLog” KS to scan the events log for any certificate expiry related to ADFS. Generally, these entries are written as a warning for at least a week before in the windows event log.

The second part of monitoring is related to observing the system performance such as CPU, MEM, and Network load. You need to run CPULoaded, MEMUtil and NetworkBusy KS to detect any misbehavior.  Additionally, you can also check for the disk space on the “C” drive by running the KS DiskSpace.

The third part is to monitor the ADFS performance counters which are important to detect any abnormality. In my environment, I used “General_Counter” KS to monitor the ADFS related counters such as “Artifact Resolution Requests” and “Extranet Accounts Lookout” however you can go deeper and use this link to see what counters are of your interest.

Also, there is ADFS Diagnostic module available which is used to monitor the ADFS health. I attached a module file (.psm) which needs to be imported first using the PowerShell 4.0:

Import-Module .\ADFSDiagnostics.psm1

After this, all of the commands will be available to you. The Test-ADFSServerHealth cmdlet contains a series of health checks for the most common AD FS issues and it’s perhaps the most useful during troubleshooting. However, there are some other cmdlets that will help you to verify configuration, certificate properties, retrieve federation metadata, and get a token from the STS (STS using the actual server where the cmdlet is running), and also to verify that endpoints required for office 365 to work are enabled, and Relying Party trusts are configured.

I hope this will help you to monitor the ADFS server. Thanks!

1 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 51 vote, average: 5.00 out of 5 (1 votes, average: 5.00 out of 5)
You need to be a registered member to rate this post.

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

No Comments
Anmol Rastogi
Dec 15, 2016
12:58 pm
Active Directory Authentication Automation Cloud Computing Cloud Security Configuration Customizing Data Breach DirXML Drivers End User Management Identity Manager Importing-Exporting / ICE/ LDIF Intelligent Workload Management IT Security Knowledge Depot LDAP Monitoring Open Enterprise Server Passwords Reporting Secure Access Supported Troubleshooting Workflow