Troubleshooting ADFS: Enabling additional logging

I ran into some issues with one of the ADFS setups at one of my clients and I decided to run some troubleshooting. In order to gather more data on what is happening in your ADFS environment additional logging can be configured. My first step in this process was to check the enabled logging on the system:

1
(Get-AdfsProperties).LogLevel

After confirming that SuccessAudits and FailureAudits were not configured I added those to the logging results for troubleshooting purposes:

1
Set-AdfsProperties -LogLevel ((Get-AdfsProperties).LogLevel+'SuccessAudits','FailureAudits')

image002

To ensure the audit results are visible in the event logs we need to ensure that ‘Application Generated’ auditing is enabled, to verify and configure this the following commands can be used:

1
2
3
4
# Verify 
. $env:\systemroot\system32\AUDITPOL.exe /GET /SUBCATEGORY:"Application Generated"  
# Configure
. $env:\systemroot\system32\AUDITPOL.exe /SET /SUBCATEGORY:"Application Generated" /FAILURE:ENABLE /SUCCESS:ENABLE

Now when an ADFS request is processed there will be logging available in the Application Log and it is easier to pinpoint and troubleshoot issues with your ADFS configuration.
For further analysis, I would recommend the ADFS Diagnostics Module created by the ADFS team, it is available here:
ADFS Diagnostics Module
There are a number of useful cmdlets available in this module that can aid in troubleshooting your ADFS configuration. The Test-AdfsServerHealth cmdlet is particularly useful for finding common misconfigurations:

1
Test-AdfsServerHealth

test-adfs

Additionally the Get-AdfsServerTrace cmdlet simplifies tracing a user request for troubleshooting purposes, for example using the following cmdlet:

1
Get-AdfsServerTrace -ActivityId 00000000-0000-0000-8000-0080000000d4

In order to fully disable logging again the following code can be executed:

1
2
. $env:\systemroot\system32\AUDITPOL.exe /SET /SUBCATEGORY:"Application Generated" /FAILURE:DISABLE /SUCCESS:DISABLE
Set-AdfsProperties -LogLevel ((Get-AdfsProperties).LogLevel| Where-Object {$_ -notmatch 'Audits'})

For more information on this subject and to view the links available in this article:

ADFS Logging additional Links
Under the hood tour of Azure AD Connect Health: AD FS Diagnostics Module
ADFS Diagnostics Module

Leave a Reply

Your email address will not be published.