LHA Consulting, Incorporated

So we all know that the thing that breaks AD FS is PKI. What’s sometimes frustrating? Is that it’s not always “your problem”.

In a federated trust relationship, an AD FS-protected application will often fail because a certificate on the partner side has expired, often without the partner being aware of it. Which makes for a fun day of trying to track down “the ADFS guy” in the other organization to convince them that they need to go update their (most often) token-signing certificate.

Now, there’s no actual way to prevent this from occurring – you don’t control your partner’s infrastructure, and that’s kinda the point.

But AD FS 2.0 will at least try to alert you that a problem may be about to occur, by logging an event when one of your configured partner’s certificates is about to expire, or has actually expired:

Event ID 389
AD FS 2.0 detected that one or more of your trusts require their certificates to be updated manually because they are expired, or will expire soon.

If AD FS 2.0 is a major part of your operational life, this event needs to trigger an alert in your monitoring system of choice.