« Previous 1 2 3
Monitoring Active Directory Federation Services
Reducing the Drop Height
Trace Logging
For troubleshooting purposes, and perhaps because you are prompted to do so by Microsoft support, you can set up tracing (or trace logging, if you prefer), which is a kind of debug mode. Open the Microsoft.IdentityServer.Servicehost.exe.config
file under C:\Windows\ADFS
. When you get there, you will find further information on how to set up the SwitchValue
for debugging. What you are not told, although it is indispensable, is that you need to enable the View | Show Analytical and Debug Protocols
option in the Event Viewer, which exposes the AD FS Tracing
node with the debug log (Figure 4); right-click the Debug
log and choose the Enable Log
option in the context menu. It does not make sense to run tracing permanently because it affects server performance and is really only designed for troubleshooting purposes.
ADFS 2016 still has an audit level that can be customized with PowerShell and is set to Basic
by default, which is fine in most cases. If you are interested in further information, such as client IP addresses or other details provided by users when they log on, you can increase the audit level with the
Set-AdfsProperties -AuditLevel verbose
command. You can find out which audit level is currently set with the Get-ADFSProperties
command.
Conclusions
Active Directory Federation services are particularly critical and important to the end user, so it makes sense to use the options discussed in this article to create a mix for monitoring. Why not use SCOM or Azure Active Directory Connect and PowerShell and Scheduler to monitor a couple of systems in the background? Dispatching email with PowerShell from an admin workstation to the team, triggered by the results of a cmdlet procedure, is no longer rocket science, and this double safety net will help you feel really secure as the employee responsible for your enterprise's federated services.
Infos
- System Center Management Pack for ADFS: https://www.microsoft.com/en-us/download/details.aspx?id=19265
- Configuring AD FS Extranet Lockout protection: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-soft-lockout-protection
- Get-WinEvent: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-6
- AD FS troubleshooting for events and logging: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging
- Planning ADFS server capacity: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/design/planning-for-ad-fs-server-capacity
- Run BPA scans and manage scan results: https://docs.microsoft.com/en-us/windows-server/administration/server-manager/run-best-practices-analyzer-scans-and-manage-scan-results
- AD FS Diagnostics Module: https://gallery.technet.microsoft.com/scriptcenter/AD-FS-Diagnostics-Module-8269de31#content
« Previous 1 2 3
Buy this article as PDF
(incl. VAT)