<#
.SYNOPSIS
Windows ADFS Prometheus Metrics Exporter
.DESCRIPTION
Prometheus exporter for Active Directory Federation Services - token request
counts, authentication success/failure, relying party trusts, certificate
expiry, extranet lockout events, and WAP health. Exports metrics as
Prometheus-compatible text format.
.PARAMETER Mode
Output mode: 'stdout' (default), 'textfile', or 'http'
.PARAMETER Port
HTTP port for http mode (default: 9635)
.PARAMETER TextfileDir
Directory for textfile collector output (default: C:\ProgramData\node_exporter)
.PARAMETER InstallScheduledTask
Switch to create a scheduled task for auto-start on system boot
.PARAMETER TaskIntervalMinutes
Interval in minutes for the scheduled task (default: 2)
.NOTES
Author: Phil Connor
Contact: contact@mylinux.work
Website: https://mylinux.work
License: MIT
Version: 1.0
Metrics Exported:
Core Status:
- adfs_up
- adfs_exporter_info{version}
Token Requests:
- adfs_token_requests_total
- adfs_token_requests_success_total
- adfs_token_requests_failed_total
Authentication:
- adfs_authentication_success_total
- adfs_authentication_failure_total
Relying Parties:
- adfs_relying_party_trust_count
Certificates:
- adfs_certificate_expiry_seconds{type,thumbprint}
Extranet Lockout:
- adfs_extranet_lockout_events_total
WAP Health:
- adfs_wap_health
Exporter:
- adfs_exporter_duration_seconds
- adfs_exporter_last_run_timestamp
#>
param(
[ValidateSet('stdout', 'textfile', 'http')]
[string]$Mode = 'stdout',
[int]$Port = 9635,
[string]$TextfileDir = 'C:\ProgramData\node_exporter',
[switch]$InstallScheduledTask,
[int]$TaskIntervalMinutes = 2
)
# Create a scheduled task to run this script every $TaskIntervalMinutes minutes
if ($InstallScheduledTask) {
$taskName = "AdfsExporter"
$existingTask = Get-ScheduledTask -TaskName $taskName -ErrorAction SilentlyContinue
if (-not $existingTask) {
$taskAction = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-NoProfile -ExecutionPolicy Bypass -File `"$($MyInvocation.MyCommand.Path)`" -Mode textfile"
if (-not $TaskIntervalMinutes -or $TaskIntervalMinutes -le 0) {
throw "TaskIntervalMinutes must be a positive integer"
}
$taskTrigger = New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes $TaskIntervalMinutes) -RepetitionDuration (New-TimeSpan -Days 365)
$taskPrincipal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount -RunLevel Highest
try {
Write-Host "Creating scheduled task: $taskName"
Register-ScheduledTask -TaskName $taskName -Action $taskAction -Trigger $taskTrigger -Principal $taskPrincipal -Description "Exports ADFS metrics for Prometheus every $TaskIntervalMinutes minutes"
$createdTask = Get-ScheduledTask -TaskName $taskName -ErrorAction SilentlyContinue
if (-not $createdTask) {
throw "Failed to verify scheduled task creation"
}
Write-Host "Successfully created scheduled task: $taskName" -ForegroundColor Green
} catch {
Write-Error "Failed to create scheduled task: $($_.Exception.Message)"
throw
}
} else {
Write-Host "Scheduled task '$taskName' already exists, skipping creation"
}
}
$ErrorActionPreference = 'SilentlyContinue'
# ============================================================================
# HELPER FUNCTIONS
# ============================================================================
function Get-UnixTimestamp {
[int][double]::Parse((Get-Date -UFormat '%s'))
}
function Format-MetricValue {
param([double]$Value, [int]$Decimals = 2)
[math]::Round($Value, $Decimals)
}
# ============================================================================
# ADFS METRICS
# ============================================================================
function Get-AdfsMetrics {
$sb = [System.Text.StringBuilder]::new()
# Test ADFS availability
$adfsAvailable = $false
try {
$adfsProps = Get-AdfsProperties -ErrorAction Stop
if ($adfsProps) { $adfsAvailable = $true }
} catch {
Write-Warning "Failed to connect to ADFS: $_"
}
# --- adfs_up ---
[void]$sb.AppendLine('# HELP adfs_up ADFS service status (1=running, 0=down)')
[void]$sb.AppendLine('# TYPE adfs_up gauge')
$upVal = if ($adfsAvailable) { 1 } else { 0 }
[void]$sb.AppendLine("adfs_up $upVal")
[void]$sb.AppendLine('')
# --- adfs_exporter_info ---
[void]$sb.AppendLine('# HELP adfs_exporter_info Exporter version information')
[void]$sb.AppendLine('# TYPE adfs_exporter_info gauge')
[void]$sb.AppendLine('adfs_exporter_info{version="1.0"} 1')
[void]$sb.AppendLine('')
if (-not $adfsAvailable) {
return $sb.ToString()
}
# --- Token request metrics from performance counters ---
$tokenRequestsTotal = 0
$tokenRequestsSuccess = 0
$tokenRequestsFailed = 0
try {
$counter = Get-Counter -Counter '\AD FS\Token Requests' -ErrorAction Stop
$tokenRequestsTotal = [math]::Max(0, [int]$counter.CounterSamples[0].CookedValue)
} catch { $tokenRequestsTotal = 0 }
try {
$counter = Get-Counter -Counter '\AD FS\Token Requests Successful' -ErrorAction Stop
$tokenRequestsSuccess = [math]::Max(0, [int]$counter.CounterSamples[0].CookedValue)
} catch { $tokenRequestsSuccess = 0 }
try {
$counter = Get-Counter -Counter '\AD FS\Token Requests Failed' -ErrorAction Stop
$tokenRequestsFailed = [math]::Max(0, [int]$counter.CounterSamples[0].CookedValue)
} catch { $tokenRequestsFailed = 0 }
[void]$sb.AppendLine('# HELP adfs_token_requests_total Total number of token requests')
[void]$sb.AppendLine('# TYPE adfs_token_requests_total gauge')
[void]$sb.AppendLine("adfs_token_requests_total $tokenRequestsTotal")
[void]$sb.AppendLine('')
[void]$sb.AppendLine('# HELP adfs_token_requests_success_total Total successful token requests')
[void]$sb.AppendLine('# TYPE adfs_token_requests_success_total gauge')
[void]$sb.AppendLine("adfs_token_requests_success_total $tokenRequestsSuccess")
[void]$sb.AppendLine('')
[void]$sb.AppendLine('# HELP adfs_token_requests_failed_total Total failed token requests')
[void]$sb.AppendLine('# TYPE adfs_token_requests_failed_total gauge')
[void]$sb.AppendLine("adfs_token_requests_failed_total $tokenRequestsFailed")
[void]$sb.AppendLine('')
# --- Authentication metrics from performance counters ---
$authSuccess = 0
$authFailure = 0
try {
$counter = Get-Counter -Counter '\AD FS\Artifact Authentication Requests - Success' -ErrorAction Stop
$authSuccess = [math]::Max(0, [int]$counter.CounterSamples[0].CookedValue)
} catch {}
try {
$counter = Get-Counter -Counter '\AD FS\Password Authentication Requests - Success' -ErrorAction Stop
$authSuccess += [math]::Max(0, [int]$counter.CounterSamples[0].CookedValue)
} catch {}
try {
$counter = Get-Counter -Counter '\AD FS\Windows Integrated Authentication Requests - Success' -ErrorAction Stop
$authSuccess += [math]::Max(0, [int]$counter.CounterSamples[0].CookedValue)
} catch {}
try {
$counter = Get-Counter -Counter '\AD FS\Artifact Authentication Requests - Failure' -ErrorAction Stop
$authFailure = [math]::Max(0, [int]$counter.CounterSamples[0].CookedValue)
} catch {}
try {
$counter = Get-Counter -Counter '\AD FS\Password Authentication Requests - Failure' -ErrorAction Stop
$authFailure += [math]::Max(0, [int]$counter.CounterSamples[0].CookedValue)
} catch {}
try {
$counter = Get-Counter -Counter '\AD FS\Windows Integrated Authentication Requests - Failure' -ErrorAction Stop
$authFailure += [math]::Max(0, [int]$counter.CounterSamples[0].CookedValue)
} catch {}
[void]$sb.AppendLine('# HELP adfs_authentication_success_total Total successful authentication requests')
[void]$sb.AppendLine('# TYPE adfs_authentication_success_total gauge')
[void]$sb.AppendLine("adfs_authentication_success_total $authSuccess")
[void]$sb.AppendLine('')
[void]$sb.AppendLine('# HELP adfs_authentication_failure_total Total failed authentication requests')
[void]$sb.AppendLine('# TYPE adfs_authentication_failure_total gauge')
[void]$sb.AppendLine("adfs_authentication_failure_total $authFailure")
[void]$sb.AppendLine('')
# --- Relying party trust count ---
$rpCount = 0
try {
$rpTrusts = Get-AdfsRelyingPartyTrust -ErrorAction Stop
$rpCount = ($rpTrusts | Measure-Object).Count
} catch {}
[void]$sb.AppendLine('# HELP adfs_relying_party_trust_count Number of configured relying party trusts')
[void]$sb.AppendLine('# TYPE adfs_relying_party_trust_count gauge')
[void]$sb.AppendLine("adfs_relying_party_trust_count $rpCount")
[void]$sb.AppendLine('')
# --- Certificate expiry ---
[void]$sb.AppendLine('# HELP adfs_certificate_expiry_seconds Seconds until ADFS certificate expires')
[void]$sb.AppendLine('# TYPE adfs_certificate_expiry_seconds gauge')
try {
$certs = Get-AdfsCertificate -ErrorAction Stop
$now = Get-Date
foreach ($cert in $certs) {
$certType = $cert.CertificateType -replace '[\\"]', ''
$thumbprint = $cert.Thumbprint -replace '[\\"]', ''
$expirySeconds = [math]::Max(0, [int]($cert.Certificate.NotAfter - $now).TotalSeconds)
[void]$sb.AppendLine("adfs_certificate_expiry_seconds{type=`"$certType`",thumbprint=`"$thumbprint`"} $expirySeconds")
}
} catch {}
[void]$sb.AppendLine('')
# --- Extranet lockout events ---
$lockoutEvents = 0
try {
$counter = Get-Counter -Counter '\AD FS\Extranet Account Lockouts' -ErrorAction Stop
$lockoutEvents = [math]::Max(0, [int]$counter.CounterSamples[0].CookedValue)
} catch {}
[void]$sb.AppendLine('# HELP adfs_extranet_lockout_events_total Total extranet account lockout events')
[void]$sb.AppendLine('# TYPE adfs_extranet_lockout_events_total gauge')
[void]$sb.AppendLine("adfs_extranet_lockout_events_total $lockoutEvents")
[void]$sb.AppendLine('')
# --- WAP health ---
$wapHealth = 1
try {
$wapStatus = Get-WebApplicationProxyHealth -ErrorAction Stop
foreach ($component in $wapStatus) {
if ($component.HealthState -ne 'Active' -and $component.HealthState -ne 'OK') {
$wapHealth = 0
break
}
}
} catch {
$wapHealth = 0
}
[void]$sb.AppendLine('# HELP adfs_wap_health Web Application Proxy health (1=healthy, 0=degraded)')
[void]$sb.AppendLine('# TYPE adfs_wap_health gauge')
[void]$sb.AppendLine("adfs_wap_health $wapHealth")
[void]$sb.AppendLine('')
$sb.ToString()
}
# ============================================================================
# COLLECT ALL METRICS
# ============================================================================
function Get-AllMetrics {
$scriptStart = Get-Date
$sb = [System.Text.StringBuilder]::new()
# Collect ADFS metrics
[void]$sb.Append((Get-AdfsMetrics))
# Exporter runtime
$scriptEnd = Get-Date
$duration = Format-MetricValue ($scriptEnd - $scriptStart).TotalSeconds
$timestamp = Get-UnixTimestamp
[void]$sb.AppendLine('# HELP adfs_exporter_duration_seconds Time to generate all metrics')
[void]$sb.AppendLine('# TYPE adfs_exporter_duration_seconds gauge')
[void]$sb.AppendLine("adfs_exporter_duration_seconds $duration")
[void]$sb.AppendLine('')
[void]$sb.AppendLine('# HELP adfs_exporter_last_run_timestamp Unix timestamp of last successful run')
[void]$sb.AppendLine('# TYPE adfs_exporter_last_run_timestamp gauge')
[void]$sb.AppendLine("adfs_exporter_last_run_timestamp $timestamp")
[void]$sb.AppendLine('')
$sb.ToString()
}
# ============================================================================
# HTTP SERVER MODE
# ============================================================================
function Start-HttpServer {
param([int]$ListenPort)
$prefix = "http://+:$ListenPort/"
$listener = [System.Net.HttpListener]::new()
$listener.Prefixes.Add($prefix)
try {
$listener.Start()
Write-Host "Starting ADFS exporter on port $ListenPort..." -ForegroundColor Green
Write-Host "Metrics available at http://localhost:$ListenPort/metrics"
while ($listener.IsListening) {
$context = $listener.GetContext()
$request = $context.Request
$response = $context.Response
if ($request.Url.AbsolutePath -eq '/metrics') {
$metrics = Get-AllMetrics
$buffer = [System.Text.Encoding]::UTF8.GetBytes($metrics)
$response.ContentType = 'text/plain; version=0.0.4; charset=utf-8'
}
else {
$html = @"
ADFS Exporter v1.0
ADFS Exporter v1.0
Metrics
Metrics
- ADFS service status and availability
- Token request counts (total, success, failed)
- Authentication success and failure counts
- Relying party trust count
- Certificate expiry times
- Extranet lockout events
- Web Application Proxy health
"@
$buffer = [System.Text.Encoding]::UTF8.GetBytes($html)
$response.ContentType = 'text/html; charset=utf-8'
}
$response.ContentLength64 = $buffer.Length
$response.OutputStream.Write($buffer, 0, $buffer.Length)
$response.OutputStream.Close()
}
}
catch {
Write-Error "HTTP server error: $_"
Write-Error "If access denied, run: netsh http add urlacl url=http://+:$ListenPort/ user=Everyone"
}
finally {
if ($listener.IsListening) {
$listener.Stop()
}
}
}
# ============================================================================
# MAIN EXECUTION
# ============================================================================
switch ($Mode) {
'http' {
Start-HttpServer -ListenPort $Port
}
'textfile' {
$OutputFile = Join-Path $TextfileDir 'adfs.prom'
$outputDir = Split-Path $OutputFile -Parent
if (-not (Test-Path $outputDir)) {
New-Item -Path $outputDir -ItemType Directory -Force | Out-Null
}
$tempFile = Join-Path $outputDir ".adfs.$PID.tmp"
try {
$metrics = Get-AllMetrics
$metrics | Out-File -FilePath $tempFile -Encoding utf8 -NoNewline
$lineCount = ($metrics -split "`n").Count
if ($lineCount -lt 10) {
Remove-Item -Path $tempFile -Force -ErrorAction SilentlyContinue
Write-Error "Metrics file too small ($lineCount lines), keeping previous"
exit 1
}
Move-Item -Path $tempFile -Destination $OutputFile -Force
Write-Host "Metrics written to $OutputFile ($lineCount lines)" -ForegroundColor Green
}
catch {
Remove-Item -Path $tempFile -Force -ErrorAction SilentlyContinue
Write-Error "Failed to generate metrics: $_"
exit 1
}
}
default {
Get-AllMetrics | Write-Output
}
}