This article discusses how to install and configure the Email Notification Service for Certificate Expiration. This service will notify users when certificates issued to them are going to expire. The administrator can configure the frequency and warning period of these notifications.  

SecureAuth IdP

System Requirements

The Email Notification Service for Certificate Expiration software requires SecureAuth version 9.1 or later. If you are running an older version, contact SecureAuth support at 949.777.6959 option 2 or email support@secureauth.com to arrange for an upgrade of your SecureAuth appliance.

Prerequisites

The Email Notification Service requires an attribute be selected in your Data Store for its use. The selected attribute will be mapped to the Certificate Expiration profile field and used to store certificate information for each user in their profile. If your organization uses Microsoft Active Directory as the User Store, see the document SecureAuth Service Account setup and configuration guide for Active Directory for information on choosing the attributes and configuring the SecureAuth service account. If your company uses another solution for its Data Store such as SQL or OpenLDAP contact SecureAuth support for further assistance. SecureAuth support can be reached via phone at 949.777.6959 option 2 or email support@secureauth.com.  

Microsoft  .NET 4.7 Framework is required to use Email Notification Service for Certificate Expiration.

 

Table of Contents

Configure the SecureAuth Realm(s)

The following instructions need to be followed and repeated for each realm you would like the Email Notification Service to monitor.

Configure the Data tab

1. Open the SecureAuth administrative interface and select the realm you would like to configure for use with the Email Notification Service.

2. Navigate to Data Store Tab → Profile Fields → Certificate Expiration

3. Configure the option as follows:



SettingValueNote
Certificate Expiration<The attribute determined in the prerequisite step>Enter the Data Store attribute to store the certificate Expiration information.
Encryption TypePlain TextChoose the encryption type to use (default Plain Text).
WriteTrue (checked)Tells SecureAuth whether or not it can write to the attribute.



4. Click the Save button to confirm your changes.


Configure the Registration Methods tab

The Email Notification Service uses the SecureAuth built-in SMTP function to send notification emails. Review you SMTP configuration for the realm to ensure the correct values are set.

1. Open the SecureAuth administrative interface and select the realm you would like to configure for use with the Email Notification Service.

2. Navigate to Registration Methods → SMTP

3. Configure the option as follows:



SettingValueNote
SMTP ServerThe IPv4 address or FQDN of your SMTP server
SMTP PortThe port your SMTP server expects traffic on.Port 25 is normally used.
SMTP UsernameA username for access (if required)
SMTP PasswordA password for access (if required)

If the SMTP Server is configured for smtp.merchantsecure.com then you are utilizing the SecureAuth test SMTP server. This server is not intended to be used in a production deployment and there is no SLA associated with it. You should point the SecureAuth realm to your organizations SMTP server at the earliest possible opportunity.



Configure the Email Notification Options

1. Open the SecureAuth administrative interface and select the realm you would like to configure for use with the Email Notification Service.

2. Navigate to Workflow Tab → Certificate/Token Properties → Configure Email Notification

3. Configure the option as follows:



SettingValueNote
Email NotificationEnabledAllows you to turn on (enabled) or off (disabled) the email notification service for a realm.
Multiple Certs per user<True,False>This setting determines whether or not each realm should store multiple certificates for users. If a user has multiple devices with their own unique certificate and they would like to be warned about upcoming expiration on each. Then this setting should be set to True. If there are multiple certificates, and the user preemptively renews a certificate before it has expired, the old entry will remain and they will still be warned although they have already renewed. To prevent this type of false positive, this setting should be set to False.
Email Field<Email Field>The email field which contains the email address to which you would like to have the notifications sent.
Warning Period (days)<A numeric value>Specifies how many days before a certificate expires a user should be notified.
Notification Interval<Daily\Hourly>Choose Daily to have the service run once a day or choose Hourly to have it run every hour.
Notification Start Time<hh:mm AM/PM>The time of day, in 12-hour format, you want to start having notifications sent. This setting is ignored when Notification Interval is configured for Hourly mode.



4. Click the Save button to confirm your changes.

Determine the FBA Credentials

The Email Notification Service requires FBA Webservice credentials be configured for each realm the service will monitor. The FBA service itself does not need to be enabled for Email notification to function, you only need to ensure the credentials are populated and consistent across realms. Find instructions below on how to find and (if necessary) update the credentials.

1. Open the SecureAuth administrative interface and select the realm you would like to configure for use with the Email Notification Service.

2. Navigate to Data Store Tab → Workflow → FBA Webservice



SettingValueNote
Enable FBA WebService<true\false>If set to true the FBA WebService will be enabled, if set to false the service will be disabled. The FBA WeService does not need to be enabled for Email Notification to function. You should not change the setting.
FBA WebService UserNameFBAServiceThe FBAService username this must be the same in all realms which will use the Email Notification Service.
FBA WebService Password<strong password>The FBAService password this must be the same in all realms which will use the Email Notification Service. If you are updating this setting, be sure to choose a strong password.



3. If you have updated the FBA username or password, click the Save button to confirm your changes.

4. Make note of the username and password you have selected as the information will be needed in future parts of the installation process.


Install the Email Notification Service for Certificate Expiration Software

These directions will walk you through installing the Email Notification Service for Certificate Expiration software.

Download and Extract the Email Notification Utility

1. Download the Email Notification Service for Certificate Expiration software to the SecureAuth appliance.

2. Right-click on the the zip file, select Properties, and switch to the General tab.

3. If there is a button titled Unblock present in the tab, click it, and click OK to dismiss the properties window.


4. Extract the zip file to D:\MFCApp_Bin

Update the Configuration File

1. Edit the the file D:\MFCApp_Bin\EmailNotify\SecureAuth.EmailNotification.exe.config with Notepad.

2. Update the following settings to reflect your environment.



SettingValueNote
"Webservice_Username"<Username>Enter the username you selected in the section Determine the FBA Credentials.
"Webservice_Password"<Strong Password>Enter the password you selected in the section Determine the FBA Credentials.
"SecureAuth_Path"<File Path>A file path to the SecureAuth directory. This should be left with the default setting.
"SecureAuth_Instances"<realm number>Realm numbers you want the service to check, separated by commas (e.g. 1,2,5).



Install the Email Notification Service

1. In the file explorer navigate to the D:\MFCApp_Bin\EmailNotify directory.

2. Launch the EmailNotify Installer script.

3. You will now be presented with the Email Notification installer. Review the legal terms and, if you agree, press any key to continue with the installation.

4. The script will now install the Email Notification service on your SecureAuth appliance. You will see the progress of the installation presented on screen.

5. If you would like to review the installation results, you may do so now. Once you have reviewed the result press any key to dismiss the installer.



The installer generates a log of all installation activity which can be reviewed at a later date. These logs can be found in the directory D:\MFCApp_Bin\EmailNotify\Logs.

If you receive a Could not load file or assembly error, see the section Troubleshooting - Could Not Load File or Assembly Error for instructions on how to resolve this issue.



Start the Email Notification Service

For SecureAuth Appliances running Windows Server 2008 R2

1. Start → All Programs → Administrative Tools → Services

2. In the details pane locate the service SecureAuth Email Notification Service and double-click on the entry.

3. In the properties window set the Startup Type to Automatic and click the Start button.

4. Click the OK button to confirm your configuration changes.


For SecureAuth Appliances running Windows Server 2012 and 2016

1. Click the Administrative Tools icon on the Taskbar (fifth icon from the left).

2. From the Administrative Tools windows, double-click services.

3. In the details pane locate the service SecureAuth Email Notification Service and double-click on the entry. 

4. In the properties window set the Startup Type to Automatic and click the Start button.

5. Click the OK button to confirm your configuration changes.


Uninstall the Email Notification Service for Certificate Expiration Software

Should you need to uninstall the Email Notification Service, SecureAuth has provided a script which automates the process. Follow the directions below to perform the uninstall.

1. In the file explorer navigate to the D:\MFCApp_Bin\EmailNotify directory.

2. Launch the EmailNotify UnInstaller script.

3. You will now be presented with the Email Notification Uninstaller. Review the legal terms and, if you agree, press any key to continue with the uninstall process.

4. The script will now uninstall the Email Notification service on your SecureAuth appliance. You will see the progress of the uninstall presented on screen.


5. If you would like to review the uninstall results, you may do so now. Once you have reviewed the result press any key to dismiss the uninstaller.

6. The Email Notification Service is now deactivated and uninstalled. If you would like to fully remove the software you may delete the directory D:\MFCApp_Bin\EmailNotify.

Logging

  • The Email Notification Service will log information to Windows Event Viewer in the Application Logs. You can filter these entries by the source SecureAuth.EmailNotification.
  • Each monitored realm will log service activity to the Debug and Error logs.  
  • The installer generates a log of all installation activity which can be reviewed at a later date. These logs can be found in the directory D:\MFCApp_Bin\EmailNotify\Logs.
Troubleshooting - Could Not Load File or Assembly Error

When downloading files they are sometimes placed in a security zone and marked as potentially dangerous. When this happens you will receive an error similar to the one below when you try to install the Email Notification service.

To resolve this error follow the instructions below.

1. In file explorer navigate to the D:\MFCApp_Bin\EmailNotify directory.

2. Locate the file SecureAuth.EmailNotification, right-click on the file, and select Properties from the resulting menu.

3. In the properties window switch to the General tab and, If there is a button titled Unblock present in the tab, click it.


4. Click the OK button to dismiss the properties window and try running the install process again.

MD5 Hashes


DownloadMD5 Hash
EmailNotify.zip95d9d8b1b68472136a1ebe94797ef719