Configuring ADFS Servers for Troubleshooting
Applies To: Windows Server 2003 R2
This topic provides the following sections to help you configure and understand settings and logs that can aid problem-solving on Active Directory Federation Services (ADFS) servers.
Configuring Cache Settings on ADFS servers
Configuring ADFS Servers to Record Auditing of ADFS Events to the Security Log
Configuration Tasks for Troubleshooting
Understanding Default Event Logs
Configuring Cache Settings on ADFS servers
The following table describes all of the various ADFS-related cache settings, where they are located, the values associated with them and the ADFS components they affect.
Cache Setting Description | Cache Setting Location | ADFS Component / Sub-Component | Configuration Parameter | Units | Default Value | Minimum Value | Maximum Value |
---|---|---|---|---|---|---|---|
Lifetime of an entry in the Security Assertion Markup Language (SAML) token cache |
Registry(DWORD Value) |
Windows NT Token-based Web Agent / ADFS Authentication Service |
System\\CurrentControlSet\\Services\\IFSSVC\\Parameters\\TokenCacheEntryLifetime |
Minutes |
60 minutes |
5 minutes |
Maximum DWORD |
How often the SAML token cache is scavenged |
Registry (DWORD Value) |
Windows NT Token-based Web Agent / ADFS Authentication Service |
System\\CurrentControlSet\\Services\\IFSSVC\\Parameters\\TokenCacheScavengePeriod |
Minutes |
15 minutes |
5 minutes |
Maximum DWORD |
Total number of entries in the SAML token cache |
Registry (DWORD Value) |
Windows NT Token-based Web Agent / ADFS Authentication Service |
System\\CurrentControlSet\\Services\\IFSSVC\\Parameters\\TokenCacheSize |
N/A |
10000 |
0 |
Maximum DWORD |
How long cookie cache entries are guaranteed to live |
Registry (DWORD Value) |
Windows NT Token-based Web Agent / ADFS Web Agent ISAPI Extension |
Software\\Microsoft\\ADFS\\WebServerAgent\\CookieCacheEntryLifetime |
Seconds |
5 minutes |
1 minute |
8 hours |
How often the cookie cache is scavenged |
Registry (DWORD Value) |
Windows NT Token-based Web Agent / ADFS Web Agent ISAPI Extension |
Software\\Microsoft\\ADFS\\WebServerAgent\\CookieCacheScavengeInterval |
Seconds |
15 minutes |
1 minute |
1 hour |
How long token-information cache entries are guaranteed to live |
Registry (DWORD Value) |
Federation Service and Windows NT Token-based Web Agent |
System\\CurrentControlSet\\Control\\Lsa\\WebSso\\Parameters\\CacheEntryLifetime |
Seconds |
1 hour |
1 minute |
10 hours |
How often the token information cache is scavenged |
Registry (DWORD Value) |
Federation Service and Windows NT Token-based Web Agent |
System\\CurrentControlSet\\Control\\Lsa\\WebSso\\Parameters\\CacheScavengeInterval |
Seconds |
15 minutes |
1 minute |
1 hour |
Total number of entries in the SAML token cache |
Web.config (Integer) |
Claims-aware Web Agent |
/websso/tokenCacheSize |
N/A |
10000 |
0 |
Integer Maximum Value |
Lifetime of an entry in the SAML token cache |
Web.config (Integer) |
Claims-aware Web Agent |
/websso/tokenCacheEntryLifetime |
Minutes |
60 minutes |
5 minutes |
Integer Maximum Value |
How often the SAML token cache is scavenged |
Web.config (Integer) |
Claims-aware Web Agent |
/websso/tokenCacheScavengePeriod |
Minutes |
15 minutes |
5 minutes |
Integer Maximum Value |
How often the Windows trust information is updated |
Trust policy (Integer) |
Federation Service |
WindowsTrustCacheUpdatePeriodInMinutes |
Minutes |
60 minutes |
5 minutes |
Integer Maximum Value |
Total number of entries in the SAML token cache |
Trust policy (Integer) |
Federation Service |
TokenCacheCapacity |
N/A |
10000 |
0 |
Integer Maximum Value |
Lifetime of an entry in the SAML token cache |
Trust policy (Integer) |
Federation Service |
TokenCacheEntryLifetimeInMinutes |
Minutes |
60 minutes |
5 minutes |
Integer Maximum Value |
How often the SAML token cache is scavenged |
Trust policy (Integer) |
Federation Service |
TokenCacheScavengePeriodInMinutes |
Minutes |
15 minutes |
5 minutes |
Integer Maximum Value |
How often the trust policy is checked for updates (this is in addition to change notifications in the trust policy file) |
Trust policy (Integer) |
Federation Service |
TrustPolicyUpdatePeriodInMinutes |
Minutes |
60 minutes |
5 minutes |
Integer Maximum Value |
Configuring ADFS Servers to Record Auditing of ADFS Events to the Security Log
All ADFS-related audits that are made specifically to the security log are considered by the system to be object access–type audits, which by default are ignored by the system. For this reason, to ensure that ADFS-related audits (specifically Success Audits and Failure Audits) appear in the Security log, you need to manually configure the Local Security Policy, using the procedure below. You must apply the steps in this procedure to all of the ADFS servers (federation servers, federation server proxies, and Web servers hosting the ADFS Web Agent) before enabling success or failure auditing in the Trust Policy properties of the ADFS snap-in. This will allow the Federation Service to log either success or failure errors.
This procedure has no effect on the events that ADFS writes to the application log.
To configure the Windows Security Log to support auditing of ADFS events
Click Start, point to Administrative Tools, and then click Local Security Policy.
Double-click Local Policies, and then click Audit Policy.
In the details pane, double-click Audit object access.
On the Audit object access Properties page, select either Success or Failure, or both, and then click OK.
Close the Local Security Settings snap-in.
At a command prompt, type gpupdate /force and then press ENTER to immediately refresh the local policy.
Configure event logging for a federation server
Use the following procedure to specify the types of events that you want to be logged on a server that is running the Active Directory Federation Service:
Configure event logging for a federation server proxy
Use the following procedure to specify the types of events that you want to be logged on a server that is running the ADFS Federation Service Proxy:
Configure event logging on a Web server
Events logged on Web servers that are running an ADFS Web Agent are configured according to the application type that the agent supports. Event logging is configured differently for Windows NT token-based applications and claims-aware applications:
Windows NT token-based applications: On Web servers that are running the ADFS Web Agent for Windows NT token-based applications, event logging for these applications is set in the registry on the Web server. Use the following procedure to specify the types of events that you want to be logged for Windows NT token-based applications on the Web server:
Configure event logging for a Windows NT token-based application
Claims-aware applications: On Web servers that are running the ADFS Web Agent for claims-aware applications, event logging for these applications is set in the Web.config file for the application. Use the following procedure to specify the types of events that you want to be logged for claims-aware applications on the Web server:
Configuration Tasks for Troubleshooting
Before you use advanced troubleshooting techniques to identify and solve ADFS problems, configure your computer for troubleshooting.
To configure your computer for troubleshooting, perform the following tasks:
Configure ADFS Event Logging
Configure ADFS Debug Logging
Disable JavaScript
Enable ASP.NET Debug Output
Configure an ASP.NET Error Page
Configure ADFS Event Logging
You can configure event logging on federation servers, federation server proxies, and Web servers. ADFS events are logged in the Application event log and the Security event log.
Important
You must turn on audit object access at each of the federation servers, for ADFS-related audits to appear in the Security log. This will allow the Federation Service to log either success or failure errors. For more information about how to turn on audit object access, see Audit object access (https://go.microsoft.com/fwlink/?LinkId=62686).
Configure ADFS Debug Logging
Event logs are generally descriptive, intended to help you understand what is happening. However, the default events do not always provide the level of detail that is needed for effective troubleshooting. In this case, configure ADFS debug logging.
ADFS provides several levels of debug information that are available for troubleshooting ADFS problems. Use the procedures in this section for enabling debug logging and setting appropriate debug logging levels on federation servers, federation proxy servers, and Web servers that are running ADFS Web Agents.
Note
Debug logging consumes space and resources on the computer. Enabling debug logging is recommended only if you are troubleshooting a problem and need more information than is provided in events. Otherwise, do not enable debug logging.
The debug log file is located in %systemdrive%\ADFS\logs.
Debug log filename format
If debug logging is enabled on a federation server, the log filename in the C:\ADFS\logs directory has the following format:
adfsyyyymmdd-hhmmss.log
In the name of the file, the number following "adfs" represents the date of the log and the number following the dash (-) represents the beginning time of the log.
Debug log tags
Depending on the level of debug logging you enable, you will see the following tags in debug logs:
[INFO] - Displays information about events, such as redirects with protocol Uniform Resource Locators (URLs), token validations, or claim mappings.
[VERBOSE] - Displays information about events, such as sign-in requests, responses, token contents, Web method calls, and security identifier (SID) information.
[ERROR] - Displays events for significant problems in the debug log.
[WARNING] - Displays events, which are not necessarily significant but that may cause future problems.
[EVENTLOG] - Displays all ADFS events.
Although all information in the log file could be useful, you can look at the lines that are tagged [ERROR] and [WARNING] first to quickly assess the problem.
For example, the following section of a debug log file shows that certificate chain validation is failing.
----------------
2005-11-09T19:46:47 [INFO] Requesting token for https://adfsweb.treyresearch.net/ from FS using inbound token.
2005-11-09T19:46:47 [VERBOSE] Parse: Token NOT found in cache
2005-11-09T19:46:47 [VERBOSE] SAML: effectivetime = 11/09/2005 19:46:53
expirationtime = 11/09/2005 20:46:53
2005-11-09T19:46:50 [WARNING] VerifyCertChain: Cert chain did not verify - error code was 0x80092013
2005-11-09T19:46:50 [ERROR] KeyInfo processing failed because the trusted certificate does not have a a valid certificate chain. Thumbprint = BAF02C45AF23389CC7FEC615615056021E107C3E
2005-11-09T19:46:50 [WARNING] Failing signature verification because the KeyInfo section failed to produce a key.
2005-11-09T19:46:50 [WARNING] SAML token signature was not valid: AssertionID = _cbe6e3ca-fb90-4a93-a789-b925856163d0
2005-11-09T19:46:50 [VERBOSE] Processing FS response: policy version is a9d515c1-6965-4aa7-a78e-3cfc77f0dd2a - 16
2005-11-09T19:46:50 [INFO] Token issuance request to FS failed: ValidationFailure
2005-11-09T19:53:14 [VERBOSE] Processing HTTP GET: https://adfsresource.treyresearch.net/adfs/ls/?wa=wsignin1.0&wreply=https://ADFSWeb.TREYRESEARCH.NET/&wct=2005-11-09T19:53:13Z&wctx=https://adfsweb.treyresearch.net/default.aspx
2005-11-09T19:53:14 [VERBOSE] Received SignIn Request.
2005-11-09T19:53:14 [VERBOSE] HOMEREALM: Realm could not be determined.
2005-11-09T19:53:14 [INFO] Received signin request via query string.
2005-11-09T19:53:14 [VERBOSE] Sign In Request Dump
--------------------
As you can see in the log text, even the thumbprint of the certificate is provided.
You can run the following command against the .cer file of the certificate to get more information about the failure.
certutil –v –urlfetch -verify CertFileName**.cer**
Set ADFS debug levels on federation servers
On federation account, resource, and proxy servers, you can use the Windows UI to enable debug logging and set levels to increase the detail of feedback in the logs.
Perform the following procedure on an account or resource federation server or federation proxy server.
Administrative credentials
To complete this procedure, you must be a member of the Administrators group on the local computer.
To set ADFS debug levels on federation servers and federation proxy servers
Click Start, point to Administrative Tools, and then click Active Directory Federation Services.
Right-click Federation Service or Federation Service Proxy, and then click Properties.
On the Troubleshooting tab, select debug levels as appropriate, and then click OK.
Note
To see descriptions for each debug level, click Help on the Troubleshooting tab.
Enable ADFS authentication package debug logging on ADFS account federation servers
The account federation server uses the ADFS authentication package (ifsAp.dll) for mapping client certificates.
Perform the following procedures on an ADFS account federation server.
Administrative credentials
To complete this procedure, you must be a member of the Administrators group on the local computer.
To enable debug logging for the ADFS authentication package on an account federation server
Open Regedit.
Navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\lsa\WebSSO\Parameters
Right-click Parameters, click New, and then click DWORD Value.
In the new value file name box, type the following, and then press Enter:
DebugLevel
Double-click the new entry and then, in Value data, type the following, and then click OK:
FFFFFFFF
Enable ADFS debug logging on Web servers
To enable debug logging on Web servers, you need to edit the registry on the servers that you are troubleshooting.
You can enable debug logging for the following components:
The ADFS Web Agent running on ADFS Web servers has two components:
ADFS Token Authentication service (ifssvc.exe), which validates incoming tokens and cookies. Debug logging creates ifssvc.log.
ADFS Web Agent Internet Server Application Programming Interface (ISAPI) extension (ifsext.dll), which handles the protocols that are used by ADFS to authenticate requests; and the ADFS Web Agent ISAPI filter (ifsfilt.dll), which assists the extension and enables user name logging in the Internet Information Services (IIS) log files. Debug logging creates the ifsext_StsAppPool1.log and ifsfilt_StsAppPool1.log, respectively in the %systemdrive%\ADFS\Logs directory.
In addition, the ADFS Web Agent authentication package (ifsAp.dll) is used by Windows NT token-based applications for generating tokens when Service-for-User (S4U) is not available. Debug logging creates ifsap.log.
You can enable debug logging for each of these components in the registry on ADFS Web servers.
Administrative credentials
To complete these procedures, you must be a member of the Administrators group on the local computer.
To enable debug logging for the ADFS Token Authentication service
Open Regedit.
Navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ifssvc\Parameters
Right-click Parameters, click New, and then click DWORD Value.
In the new value file name box, type the following, and then press Enter:
DebugPrintLevel
Double-click the new entry and then, in Value data, type the following, and then click OK:
FFFFFFFF
To enable debug logging for the ADFS ISAPI extension and filter
Open Regedit.
Navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ADFS\WebServerAgent
Right-click WebServerAgent, click New, and then click DWORD Value.
In the new value file name box, type the following, and then press Enter:
DebugPrintLevel
Double-click the new entry and then, in Value data, type the following, and then click OK:
FFFFFFFF
To enable debug logging for the ADFS Web Agent authentication package (for Windows NT token-based applications)
Open Regedit.
Navigate to:
HKEY_LOCAL_MACHINE_SYSTEM\CurrentControlSet\Lsa\WebSso\ Parameters
Right-click Parameters, click New, and then click DWORD Value.
In the new value file name box, type the following, and then press Enter:
DebugLevel
Double-click the new entry and then, in Value data, type the following, and then click OK:
FFFFFFFF
Disable JavaScript
JavaScript is used to automatically redirect the client to various points, including posting tokens. When JavaScript is disabled, the automatic redirect is prevented and a submit button is displayed instead. This button allows the client to walk through each step more easily as part of troubleshooting the configuration.
Administrative credentials
To complete this procedure, you must be a member of the Users group on the local computer.
Disable JavaScript in Internet Explorer
Open Internet Explorer.
On the Tools menu, click Internet Options.
On the Security tab, click Custom Level.
Scroll to the Scripting category.
Under Active scripting, click Disable, and then click OK twice.
Enable ASP.NET Debug Output
You can generate debug output for ASP.NET files by configuring the Web.config file on the computer.
Note
Generating debug output for ASP.Net files enable clients to view server state information that could be misused by malicious users.
Administrative credentials
To complete this procedure, you must be a member of the Administrators group on the local computer.
To enable ASP.NET debug output
In Notepad, open the Web.config file in SYSTEMDRIVE\ADFS\sts.
Search for <system.web>.
Add the <compilation debug> entry under <system.web>, as follows:
<compilation debug="true" />
Save and close the Web.config file.
Configure an ASP.NET Error Page
You can configure an error page to display when ASP.NET errors prohibit the opening of a page. Use the Web.config file to configure this error page.
Administrative credentials
To complete this procedure, you must be a member of the Administrators group on the local computer.
To configure an ASP.NET error page
In Notepad, open the Web.config file in SYSTEMDRIVE\ADFS\sts.
Search for <system.web>.
Add the following entries under <system.web>:
<customErrors mode="Off" defaultRedirect="Errors.aspx">
<error statusCode="404" redirect="PageNotFound.aspx" />
</customErrors>
Save and close the Web.config file.
Understanding Default Event Logs
By default, some events are logged by ADFS components in Event Viewer. The following categories of default events provide information about successful operations that are logged in the event logs and for which you will see events in Event Viewer.
Default Events for Token-based Applications on a Web Server
Default Events for Claims-aware Applications on a Web Server
Default Auditing Events for Token-based Applications on a Federation Server
Default Auditing Events for Claims-aware Applications on a Federation Server
Default Events for Token-based Applications on a Web Server
The following types of events appear when an ADFS client successfully receives access to the requested application Web page. These events occur in an environment similar to the sample scenario presented in Verifying ADFS Computer Settings and Connectivity.
If a Web server that is running an ADFS Web Agent is able to retrieve trust information successfully from the Federation Service, the following event is generated in the Application log on the Web server:
Event Type:Information
Event Source:ADFS ISAPI Extension
Event Category:None
Event ID:101
Date:11/10/2005
Time:10:45:23 AM
User:N/A
Computer:ADFSWEB
Description:
The ADFS Web Agent for Windows NT token-based applications successfully retrieved trust information from the Federation Service.
The following event appears in the Security log on the ADFS Web server:
Event Type:Success Audit
Event Source:Security
Event Category:Logon/Logoff
Event ID:540
Date:11/10/2005
Time:10:46:17 AM
User:urn:federation:adatum\[email protected]
Computer:ADFSWEB
Description:
Successful Network Logon:
User Name:[email protected]
Domain:urn:federation:adatum
Logon ID:(0x0,0x25E31)
Logon Type:3
Logon Process:
Authentication Package:IfsAp
Workstation Name:-
Logon GUID:-
Caller User Name:ADFSWEB$
Caller Domain:TREYRESEARCH0
Caller Logon ID:(0x0,0x3E7)
Caller Process ID: 1568
Transited Services: -
Source Network Address:-
Source Port:-
In the preceding event text, Caller Process ID: 1568 is the process ifssvc.exe on the ADFS Web server.
Default Events for Claims-aware Applications on a Web Server
You will notice the following event if the ADFS Web server is able to retrieve ADFS trust information successfully from the Federation Service.
Event Type:Information
Event Source:ADFS
Event Category:None
Event ID:621
Date:11/10/2005
Time:4:09:26 PM
User:N/A
Computer:ADFSWEB
Description:
The ADFS Web Agent for claims-aware applications successfully retrieved trust information from the Federation Service.
GUID: d977fee6-175b-4532-bc24-5ac54d137d57
Version: 17
Federation Service Uniform Resource Locator (URL): https://adfsresource.treyresearch.net/adfs/fs/federationserverservice.asmx
Federation Service Uniform Resource Identifier (URI): urn:federation:treyresearch
Federation Service Endpoint URL: https://adfsresource.treyresearch.net/adfs/ls/
Federation Service Domain Account: TREYRESEARCH0\ADFSRESOURCE$
You will also see the following event below in the Security log.
Event Type:Success Audit
Event Source:ADFS ASP.NET Module Auditor
Event Category:Object Access
Event ID:560
Date:11/10/2005
Time:4:10:11 PM
User:NT AUTHORITY\NETWORK SERVICE
Computer:ADFSWEB
Description:
The client presented a valid inbound token as evidence.
Token ID: _ad5a3694-860d-4063-95a3-3b0163fad3ca
Identity: [email protected]
Default Auditing Events for Token-based Applications on a Federation Server
Federation servers in the account and the resource domains log similar events in the security log if object access auditing is turned on. These events provide details about claims, including the time that the claim was presented and the requested user.
Default auditing events for a token-based application on an account federation server
The following default auditing events are logged in the Security log on the account federation server:
Event ID 500: Indicates that a token request was received by adfsaccount.
Event ID 510: Contains details of the resource token that was issued by adfsaccount.
Event ID 520: Contains details of the logon accelerator token that was issued by adfsaccount.
Event ID 550: Contains the list of claims that were retrieved from the account store.
The following sample events are generated on the federation server named adfsaccount.adatum.com, in an ADFS deployment similar to that described in Verifying ADFS Computer Settings and Connectivity.
Event ID 500:
Event Type:Success Audit
Event Source:ADFS Federation Service Auditor
Event Category:Object Access
Event ID:500
Date:11/10/2005
Time:4:10:13 PM
User:NT AUTHORITY\SYSTEM
Computer:ADFSACCOUNT
Description:
Transaction ID: {c727f983-de98-4c88-947c-06d5f914659a}
A token request was received directly by the Federation Service. The request for target 'urn:federation:treyresearch' was approved, and one or more tokens were issued.
Target URI: urn:federation:treyresearch
A resource token was issued. Depending on the audit policy, further details of this token may be written to a 510 event with the same transaction ID.
Token ID: _952de51d-e827-41db-8332-1afa84aa51d2
Identity: [email protected]
A logon accelerator was issued. Depending on the audit policy, further details of this token may be written to a 520 event with the same transaction ID.
Token ID: _b17a22ce-96af-4a59-a885-c1252872c6ea
Identity:
The client did not present a logon accelerator token as evidence.
The client presented valid credentials. Depending on the audit policy, the list of generated claims may be written to a 550 event with the same transaction ID.
Authentication method: Windows integrated authentication
Username: ADATUM0\adamcar
Event ID 510:
Event Type:Success Audit
Event Source:ADFS Federation Service Auditor
Event Category:Object Access
Event ID:510
Date:11/10/2005
Time:4:10:13 PM
User:NT AUTHORITY\SYSTEM
Computer:ADFSACCOUNT
Description:
Transaction ID: {c727f983-de98-4c88-947c-06d5f914659a}
This event contains the details of the resource token that was issued as part of the referenced transaction.
Token ID: _952de51d-e827-41db-8332-1afa84aa51d2
Issuer: urn:federation:adatum
Audience: urn:federation:treyresearch
Effective time: 11/10/2005 4:10:13 PM
Expiration time: 11/10/2005 5:10:13 PM
Claim source:
Authentication methods:
MethodTime
urn:federation:authentication:windows2005-11-11T00:10:13Z
UPN: [email protected]
Email: [Claim not present]
Common name: [Claim not present]
Groups: (0 sensitive values omitted)
SharePointMapping
Custom claims:
NameValue
[Custom claims not present]
Event ID 520:
Event Type:Success Audit
Event Source:ADFS Federation Service Auditor
Event Category:Object Access
Event ID:520
Date:11/10/2005
Time:4:10:13 PM
User:NT AUTHORITY\SYSTEM
Computer:ADFSACCOUNT
Description:
Transaction ID: {c727f983-de98-4c88-947c-06d5f914659a}
This event contains the details of the logon accelerator token that was issued as part of the referenced transaction.
Token ID: _b17a22ce-96af-4a59-a885-c1252872c6ea
Issuer: urn:federation:adatum
Audience: urn:federation:adatum
Effective time: 11/10/2005 4:10:13 PM
Expiration time: 11/11/2005 2:10:13 AM
Claim source: urn:federation:activedirectory
Authentication methods:
MethodTime
urn:federation:authentication:windows2005-11-11T00:10:13Z
UPN: [email protected]
Email: [Claim not present]
Common name: [Claim not present]
Groups: (0 sensitive values omitted)
Trey SharePoint Claim
Custom claims:
NameValue
[Custom claims not present]
Event ID 550:
Event Type:Success Audit
Event Source:ADFS Federation Service Auditor
Event Category:Object Access
Event ID:550
Date:11/10/2005
Time:4:10:13 PM
User:NT AUTHORITY\SYSTEM
Computer:ADFSACCOUNT
Description:
Transaction ID: {c727f983-de98-4c88-947c-06d5f914659a}
This event contains the list of claims that were retrieved from the account store as part of the referenced transaction.
UPN: [email protected]
Email: [Claim not present]
Common name: [Claim not present]
Groups: (0 sensitive values omitted)
Trey SharePoint Claim
Custom claims:
NameValue
[Custom claims not present]
Default auditing events for a token-based application on a resource federation server
The following default auditing events are logged on the resource federation server:
Event ID 500: Indicates that a token request was received by adfsresource.
Event ID 510: Contains the details of the resource token that was issued by adfsresource.
Event ID 520: Contains the details of the logon accelerator token that was issued by adfsresource.
Event ID 540: Contains the details of the token that was presented by the client.
The following sample events are generated on the federation server named adfsresource.treyresearch.net, in an ADFS deployment similar to that described in Verifying ADFS Computer Settings and Connectivity.
Event ID 500:
Event Type:Success Audit
Event Source:ADFS Federation Service Auditor
Event Category:Object Access
Event ID:500
Date:11/10/2005
Time:4:10:12 PM
User:NT AUTHORITY\SYSTEM
Computer:ADFSRESOURCE
Description:
Transaction ID: {fb4e7da3-ca0b-43ca-a0c0-42a333ce0d80}
A token request was received directly by the Federation Service. The request for target 'https://adfsweb.treyresearch.net:8081/sampleapp/' was approved, and one or more tokens were issued.
Target URI: https://adfsweb.treyresearch.net:8081/sampleapp/
A resource token was issued. Depending on the audit policy, further details of this token may be written to a 510 event with the same transaction ID.
Token ID: _ad5a3694-860d-4063-95a3-3b0163fad3ca
Identity: [email protected]
A logon accelerator was issued. Depending on the audit policy, further details of this token may be written to a 520 event with the same transaction ID.
Token ID: _ea256664-ac66-4560-9a4f-97a26bf21fa0
Identity:
The client did not present a logon accelerator token as evidence.
The client presented a valid inbound token as evidence. Depending on the audit policy, further details of this token may be written to a 540 event with the same transaction ID.
Token issuer: urn:federation:adatum
Token ID: _952de51d-e827-41db-8332-1afa84aa51d2
Identity: [email protected]
For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp.
Event ID 510:
Event Type:Success Audit
Event Source:ADFS Federation Service Auditor
Event Category:Object Access
Event ID:510
Date:11/10/2005
Time:4:10:12 PM
User:NT AUTHORITY\SYSTEM
Computer:ADFSRESOURCE
Description:
Transaction ID: {fb4e7da3-ca0b-43ca-a0c0-42a333ce0d80}
This event contains the details of the resource token that was issued as part of the referenced transaction.
Token ID: _ad5a3694-860d-4063-95a3-3b0163fad3ca
Issuer: urn:federation:treyresearch
Audience: https://adfsweb.treyresearch.net:8081/sampleapp/
Effective time: 11/10/2005 4:10:12 PM
Expiration time: 11/10/2005 5:10:12 PM
Claim source: urn:federation:adatum
Authentication methods:
MethodTime
urn:federation:authentication:windows2005-11-11T00:10:13Z
UPN: [email protected]
Email: [Claim not present]
Common name: [Claim not present]
Groups: (0 sensitive values omitted)
[Groups not present]
Custom claims:
NameValue
[Custom claims not present]
For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp.
Event ID 520:
Event Type:Success Audit
Event Source:ADFS Federation Service Auditor
Event Category:Object Access
Event ID:520
Date:11/10/2005
Time:4:10:12 PM
User:NT AUTHORITY\SYSTEM
Computer:ADFSRESOURCE
Description:
Transaction ID: {fb4e7da3-ca0b-43ca-a0c0-42a333ce0d80}
This event contains the details of the logon accelerator token that was issued as part of the referenced transaction.
Token ID: _ea256664-ac66-4560-9a4f-97a26bf21fa0
Issuer: urn:federation:treyresearch
Audience: urn:federation:treyresearch
Effective time: 11/10/2005 4:10:12 PM
Expiration time: 11/11/2005 2:10:12 AM
Claim source: urn:federation:adatum
Authentication methods:
MethodTime
urn:federation:authentication:windows2005-11-11T00:10:13Z
UPN: [email protected]
Email: [Claim not present]
Common name: [Claim not present]
Groups: (0 sensitive values omitted)
Adatum Share Point Claim
Custom claims:
NameValue
[Custom claims not present]
For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp.
Event ID 540:
Event Type:Success Audit
Event Source:ADFS Federation Service Auditor
Event Category:Object Access
Event ID:540
Date:11/10/2005
Time:4:10:12 PM
User:NT AUTHORITY\SYSTEM
Computer:ADFSRESOURCE
Description:
Transaction ID: {fb4e7da3-ca0b-43ca-a0c0-42a333ce0d80}
This event contains the details of the token that was presented by the client as part of the referenced transaction.
Token ID: _952de51d-e827-41db-8332-1afa84aa51d2
Issuer: urn:federation:adatum
Audience: urn:federation:treyresearch
Effective time: 11/10/2005 4:10:13 PM
Expiration time: 11/10/2005 5:10:13 PM
Claim source:
Authentication methods:
MethodTime
urn:federation:authentication:windows2005-11-11T00:10:13Z
UPN: [email protected]
Email: [Claim not present]
Common name: [Claim not present]
Groups: (0 sensitive values omitted)
SharePointMapping
Custom claims:
NameValue
[Custom claims not present]
Default Auditing Events for Claims-aware Applications on a Federation Server
A claims-aware application generates events that are similar to the events that are generated by a token-based application.