Troubleshooting audit failures with AD FS 2.0

Article
07/02/2012

Updated: May 5, 2010

Applies To: Active Directory Federation Services (AD FS) 2.0

The following table provides troubleshooting guidance for the specific error event messages or other issues that you may encounter if you are having problems that cause Active Directory Federation Services (AD FS) 2.0 auditing to fail.

Before you begin the troubleshooting process, we recommend that you first try to configure AD FS 2.0 for troubleshooting and check for known common issues that might prevent normal functioning for the Federation Service. For detailed instructions for configuring and performing related system checks, see Configuring Computers for Troubleshooting AD FS 2.0 and Things to Check Before Troubleshooting AD FS 2.0.

Event or symptom	Possible cause	Resolution
Event ID 207 An attempt to write to the Security event log failed.	The following are possible causes: The Security event log service is unavailable. The Federation Service does not have correct permissions to write to the Security log.	The following are possible resolutions for this event: Verify in the Services node of Server Manager that the following services are running: Windows Error Reporting Service Windows Event Collector Windows Event Log Ensure that the Federation Service has the correct permissions to write to the Security log. This includes verifying that the AD FS 2.0 service account has write permissions to perform auditing. For more information, see Configure auditing for AD FS 2.0.
Event ID 208 An error occurred during an attempt to register the event source for the Security log.	The Federation Service does not have correct permissions to register the event source in the Security log.	Ensure that the Federation Service has the correct permissions to write to the Security log. This includes verifying that the AD FS 2.0 service account has write permissions to perform auditing. For more information, see Configure auditing for AD FS 2.0.
Event ID 209 The Security log event source for the Federation Service could not be registered.	The Federation Service failed to initiate auditing with the Windows event log. The cause is probably something specific to the Windows error code and the exception data that was returned in the event.	To further diagnose the problem, review the error code and the exception text that is included in the event.

Event ID 207
An attempt to write to the Security event log failed.

The following are possible causes:

The Security event log service is unavailable.
The Federation Service does not have correct permissions to write to the Security log.

The following are possible resolutions for this event:

Verify in the Services node of Server Manager that the following services are running:
- Windows Error Reporting Service
- Windows Event Collector
- Windows Event Log
Ensure that the Federation Service has the correct permissions to write to the Security log. This includes verifying that the AD FS 2.0 service account has write permissions to perform auditing. For more information, see Configure auditing for AD FS 2.0.

Event ID 208
An error occurred during an attempt to register the event source for the Security log.

The Federation Service does not have correct permissions to register the event source in the Security log.

Ensure that the Federation Service has the correct permissions to write to the Security log. This includes verifying that the AD FS 2.0 service account has write permissions to perform auditing. For more information, see Configure auditing for AD FS 2.0.

Event ID 209
The Security log event source for the Federation Service could not be registered.

The Federation Service failed to initiate auditing with the Windows event log. The cause is probably something specific to the Windows error code and the exception data that was returned in the event.

To further diagnose the problem, review the error code and the exception text that is included in the event.

Troubleshooting audit failures with AD FS 2.0

Additional resources