« Previous 1 2 3

Monitoring Active Directory Federation Services

Reducing the Drop Height

Trace Logging

For troubleshooting purposes, and perhaps because you are prompted to do so by Microsoft support, you can set up tracing (or trace logging, if you prefer), which is a kind of debug mode. Open the Microsoft.IdentityServer.Servicehost.exe.config file under C:\Windows\ADFS. When you get there, you will find further information on how to set up the SwitchValue for debugging. What you are not told, although it is indispensable, is that you need to enable the View | Show Analytical and Debug Protocols option in the Event Viewer, which exposes the AD FS Tracing node with the debug log (Figure 4); right-click the Debug log and choose the Enable Log option in the context menu. It does not make sense to run tracing permanently because it affects server performance and is really only designed for troubleshooting purposes.

Figure 4: Troubleshooting is stored in the trace log, but you need to enable it first.

ADFS 2016 still has an audit level that can be customized with PowerShell and is set to Basic by default, which is fine in most cases. If you are interested in further information, such as client IP addresses or other details provided by users when they log on, you can increase the audit level with the

Set-AdfsProperties -AuditLevel verbose

command. You can find out which audit level is currently set with the Get-ADFSProperties command.

Conclusions

Active Directory Federation services are particularly critical and important to the end user, so it makes sense to use the options discussed in this article to create a mix for monitoring. Why not use SCOM or Azure Active Directory Connect and PowerShell and Scheduler to monitor a couple of systems in the background? Dispatching email with PowerShell from an admin workstation to the team, triggered by the results of a cmdlet procedure, is no longer rocket science, and this double safety net will help you feel really secure as the employee responsible for your enterprise's federated services.

Infos

  1. System Center Management Pack for ADFS: https://www.microsoft.com/en-us/download/details.aspx?id=19265
  2. Configuring AD FS Extranet Lockout protection: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-extranet-soft-lockout-protection
  3. Get-WinEvent: https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-6
  4. AD FS troubleshooting for events and logging: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging
  5. Planning ADFS server capacity: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/design/planning-for-ad-fs-server-capacity
  6. Run BPA scans and manage scan results: https://docs.microsoft.com/en-us/windows-server/administration/server-manager/run-best-practices-analyzer-scans-and-manage-scan-results
  7. AD FS Diagnostics Module: https://gallery.technet.microsoft.com/scriptcenter/AD-FS-Diagnostics-Module-8269de31#content

« Previous 1 2 3

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
Print Issues
Digital Issues
 
SUBSCRIPTIONS
Print Subs
Digisubs
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus