Configuring ADFS Servers for Troubleshooting

Configuring ADFS Servers for Troubl...

Updated: September 13, 2007

Applies To: Windows Server 2003 R2

This topic provides the following sections to help you configure and understand settings and logs that can aid problem-solving on Active Directory Federation Services (ADFS) servers.

Configuring Cache Settings on ADFS servers
Configuring ADFS Servers to Record Auditing of ADFS Events to the Security Log
Configuration Tasks for Troubleshooting
Understanding Default Event Logs

Configuring Cache Settings on ADFS servers

The following table describes all of the various ADFS-related cache settings, where they are located, the values associated with them and the ADFS components they affect.

Cache Setting Description	Cache Setting Location	ADFS Component / Sub-Component	Configuration Parameter	Units	Default Value	Minimum Value	Maximum Value
Lifetime of an entry in the Security Assertion Markup Language (SAML) token cache	Registry(DWORD Value)	Windows NT Token-based Web Agent / ADFS Authentication Service	System\\CurrentControlSet\\Services\\IFSSVC\\Parameters\\TokenCacheEntryLifetime	Minutes	60 minutes	5 minutes	Maximum DWORD
How often the SAML token cache is scavenged	Registry (DWORD Value)	Windows NT Token-based Web Agent / ADFS Authentication Service	System\\CurrentControlSet\\Services\\IFSSVC\\Parameters\\TokenCacheScavengePeriod	Minutes	15 minutes	5 minutes	Maximum DWORD
Total number of entries in the SAML token cache	Registry (DWORD Value)	Windows NT Token-based Web Agent / ADFS Authentication Service	System\\CurrentControlSet\\Services\\IFSSVC\\Parameters\\TokenCacheSize	N/A	10000	0	Maximum DWORD
How long cookie cache entries are guaranteed to live	Registry (DWORD Value)	Windows NT Token-based Web Agent / ADFS Web Agent ISAPI Extension	Software\\Microsoft\\ADFS\\WebServerAgent\\CookieCacheEntryLifetime	Seconds	5 minutes	1 minute	8 hours
How often the cookie cache is scavenged	Registry (DWORD Value)	Windows NT Token-based Web Agent / ADFS Web Agent ISAPI Extension	Software\\Microsoft\\ADFS\\WebServerAgent\\CookieCacheScavengeInterval	Seconds	15 minutes	1 minute	1 hour
How long token-information cache entries are guaranteed to live	Registry (DWORD Value)	Federation Service and Windows NT Token-based Web Agent	System\\CurrentControlSet\\Control\\Lsa\\WebSso\\Parameters\\CacheEntryLifetime	Seconds	1 hour	1 minute	10 hours
How often the token information cache is scavenged	Registry (DWORD Value)	Federation Service and Windows NT Token-based Web Agent	System\\CurrentControlSet\\Control\\Lsa\\WebSso\\Parameters\\CacheScavengeInterval	Seconds	15 minutes	1 minute	1 hour
Total number of entries in the SAML token cache	Web.config (Integer)	Claims-aware Web Agent	/websso/tokenCacheSize	N/A	10000	0	Integer Maximum Value
Lifetime of an entry in the SAML token cache	Web.config (Integer)	Claims-aware Web Agent	/websso/tokenCacheEntryLifetime	Minutes	60 minutes	5 minutes	Integer Maximum Value
How often the SAML token cache is scavenged	Web.config (Integer)	Claims-aware Web Agent	/websso/tokenCacheScavengePeriod	Minutes	15 minutes	5 minutes	Integer Maximum Value
How often the Windows trust information is updated	Trust policy (Integer)	Federation Service	WindowsTrustCacheUpdatePeriodInMinutes	Minutes	60 minutes	5 minutes	Integer Maximum Value
Total number of entries in the SAML token cache	Trust policy (Integer)	Federation Service	TokenCacheCapacity	N/A	10000	0	Integer Maximum Value
Lifetime of an entry in the SAML token cache	Trust policy (Integer)	Federation Service	TokenCacheEntryLifetimeInMinutes	Minutes	60 minutes	5 minutes	Integer Maximum Value
How often the SAML token cache is scavenged	Trust policy (Integer)	Federation Service	TokenCacheScavengePeriodInMinutes	Minutes	15 minutes	5 minutes	Integer Maximum Value
How often the trust policy is checked for updates (this is in addition to change notifications in the trust policy file)	Trust policy (Integer)	Federation Service	TrustPolicyUpdatePeriodInMinutes	Minutes	60 minutes	5 minutes	Integer Maximum Value

Configuring ADFS Servers to Record Auditing of ADFS Events to the Security Log

All ADFS-related audits that are made specifically to the security log are considered by the system to be object access–type audits, which by default are ignored by the system. For this reason, to ensure that ADFS-related audits (specifically Success Audits and Failure Audits) appear in the Security log, you need to manually configure the Local Security Policy, using the procedure below. You must apply the steps in this procedure to all of the ADFS servers (federation servers, federation server proxies, and Web servers hosting the ADFS Web Agent) before enabling success or failure auditing in the Trust Policy properties of the ADFS snap-in. This will allow the Federation Service to log either success or failure errors.

This procedure has no effect on the events that ADFS writes to the application log.

To configure the Windows Security Log to support auditing of ADFS events

Click Start, point to Administrative Tools, and then click Local Security Policy.
Double-click Local Policies, and then click Audit Policy.
In the details pane, double-click Audit object access.
On the Audit object access Properties page, select either Success or Failure, or both, and then click OK.
Close the Local Security Settings snap-in.
At a command prompt, type gpupdate /force and then press ENTER to immediately refresh the local policy.

Configure event logging for a federation server

Use the following procedure to specify the types of events that you want to be logged on a server that is running the Active Directory Federation Service:

Configure event logging on a federation server

Configure event logging for a federation server proxy

Use the following procedure to specify the types of events that you want to be logged on a server that is running the ADFS Federation Service Proxy:

Configure event logging on a federation server proxy

Configure event logging on a Web server

Events logged on Web servers that are running an ADFS Web Agent are configured according to the application type that the agent supports. Event logging is configured differently for Windows NT token-based applications and claims-aware applications:

Windows NT token-based applications: On Web servers that are running the ADFS Web Agent for Windows NT token-based applications, event logging for these applications is set in the registry on the Web server. Use the following procedure to specify the types of events that you want to be logged for Windows NT token-based applications on the Web server:

Configure event logging for a Windows NT token-based application
Claims-aware applications: On Web servers that are running the ADFS Web Agent for claims-aware applications, event logging for these applications is set in the Web.config file for the application. Use the following procedure to specify the types of events that you want to be logged for claims-aware applications on the Web server:

Configure event logging for a claims-aware application

Configuration Tasks for Troubleshooting

Before you use advanced troubleshooting techniques to identify and solve ADFS problems, configure your computer for troubleshooting.

To configure your computer for troubleshooting, perform the following tasks:

Configure ADFS Event Logging
Configure ADFS Debug Logging
Disable JavaScript
Enable ASP.NET Debug Output
Configure an ASP.NET Error Page

Configure ADFS Event Logging

You can configure event logging on federation servers, federation server proxies, and Web servers. ADFS events are logged in the Application event log and the Security event log.

Important
You must turn on audit object access at each of the federation servers, for ADFS-related audits to appear in the Security log. This will allow the Federation Service to log either success or failure errors. For more information about how to turn on audit object access, see Audit object access (http://go.microsoft.com/fwlink/?LinkId=62686).

Configure ADFS Debug Logging

Event logs are generally descriptive, intended to help you understand what is happening. However, the default events do not always provide the level of detail that is needed for effective troubleshooting. In this case, configure ADFS debug logging.

ADFS provides several levels of debug information that are available for troubleshooting ADFS problems. Use the procedures in this section for enabling debug logging and setting appropriate debug logging levels on federation servers, federation proxy servers, and Web servers that are running ADFS Web Agents.

Note
Debug logging consumes space and resources on the computer. Enabling debug logging is recommended only if you are troubleshooting a problem and need more information than is provided in events. Otherwise, do not enable debug logging.

The debug log file is located in %systemdrive%\ADFS\logs.

Debug log filename format

If debug logging is enabled on a federation server, the log filename in the C:\ADFS\logs directory has the following format:

adfsyyyymmdd-hhmmss.log

In the name of the file, the number following "adfs" represents the date of the log and the number following the dash (-) represents the beginning time of the log.

Debug log tags

Depending on the level of debug logging you enable, you will see the following tags in debug logs:

[INFO] - Displays information about events, such as redirects with protocol Uniform Resource Locators (URLs), token validations, or claim mappings.

[VERBOSE] - Displays information about events, such as sign-in requests, responses, token contents, Web method calls, and security identifier (SID) information.

[ERROR] - Displays events for significant problems in the debug log.

[WARNING] - Displays events, which are not necessarily significant but that may cause future problems.

[EVENTLOG] - Displays all ADFS events.

Although all information in the log file could be useful, you can look at the lines that are tagged [ERROR] and [WARNING] first to quickly assess the problem.

For example, the following section of a debug log file shows that certificate chain validation is failing.

----------------

2005-11-09T19:46:47 [INFO] Requesting token for https://adfsweb.treyresearch.net/ from FS using inbound token.

2005-11-09T19:46:47 [VERBOSE] Parse: Token NOT found in cache

2005-11-09T19:46:47 [VERBOSE] SAML: effectivetime = 11/09/2005 19:46:53

expirationtime = 11/09/2005 20:46:53

2005-11-09T19:46:50 [WARNING] VerifyCertChain: Cert chain did not verify - error code was 0x80092013

2005-11-09T19:46:50 [ERROR] KeyInfo processing failed because the trusted certificate does not have a a valid certificate chain. Thumbprint = BAF02C45AF23389CC7FEC615615056021E107C3E

2005-11-09T19:46:50 [WARNING] Failing signature verification because the KeyInfo section failed to produce a key.

2005-11-09T19:46:50 [WARNING] SAML token signature was not valid: AssertionID = _cbe6e3ca-fb90-4a93-a789-b925856163d0

2005-11-09T19:46:50 [VERBOSE] Processing FS response: policy version is a9d515c1-6965-4aa7-a78e-3cfc77f0dd2a - 16

2005-11-09T19:46:50 [INFO] Token issuance request to FS failed: ValidationFailure

2005-11-09T19:53:14 [VERBOSE] Processing HTTP GET: https://adfsresource.treyresearch.net/adfs/ls/?wa=wsignin1.0&wreply=https://ADFSWeb.TREYRESEARCH.NET/&wct=2005-11-09T19:53:13Z&wctx=https://adfsweb.treyresearch.net/default.aspx

2005-11-09T19:53:14 [VERBOSE] Received SignIn Request.

2005-11-09T19:53:14 [VERBOSE] HOMEREALM: Realm could not be determined.

2005-11-09T19:53:14 [INFO] Received signin request via query string.

2005-11-09T19:53:14 [VERBOSE] Sign In Request Dump

--------------------

As you can see in the log text, even the thumbprint of the certificate is provided.

You can run the following command against the .cer file of the certificate to get more information about the failure.

certutil –v –urlfetch -verify CertFileName .cer

Set ADFS debug levels on federation servers

On federation account, resource, and proxy servers, you can use the Windows UI to enable debug logging and set levels to increase the detail of feedback in the logs.

Perform the following procedure on an account or resource federation server or federation proxy server.

Administrative credentials

To complete this procedure, you must be a member of the Administrators group on the local computer.

To set ADFS debug levels on federation servers and federation proxy servers

Click Start, point to Administrative Tools, and then click Active Directory Federation Services.
Right-click Federation Service or Federation Service Proxy, and then click Properties.

On the Troubleshooting tab, select debug levels as appropriate, and then click OK.

Note
To see descriptions for each debug level, click Help on the Troubleshooting tab.

Enable ADFS authentication package debug logging on ADFS account federation servers

The account federation server uses the ADFS authentication package (ifsAp.dll) for mapping client certificates.

Perform the following procedures on an ADFS account federation server.

Administrative credentials

To complete this procedure, you must be a member of the Administrators group on the local computer.

To enable debug logging for the ADFS authentication package on an account federation server

Open Regedit.
Navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\lsa\WebSSO\Parameters
Right-click Parameters, click New, and then click DWORD Value.
In the new value file name box, type the following, and then press Enter:

DebugLevel
Double-click the new entry and then, in Value data, type the following, and then click OK:

FFFFFFFF

Enable ADFS debug logging on Web servers

To enable debug logging on Web servers, you need to edit the registry on the servers that you are troubleshooting.

You can enable debug logging for the following components:

The ADFS Web Agent running on ADFS Web servers has two components:
- ADFS Token Authentication service (ifssvc.exe), which validates incoming tokens and cookies. Debug logging creates ifssvc.log.
- ADFS Web Agent Internet Server Application Programming Interface (ISAPI) extension (ifsext.dll), which handles the protocols that are used by ADFS to authenticate requests; and the ADFS Web Agent ISAPI filter (ifsfilt.dll), which assists the extension and enables user name logging in the Internet Information Services (IIS) log files. Debug logging creates the ifsext_StsAppPool1.log and ifsfilt_StsAppPool1.log, respectively in the %systemdrive%\ADFS\Logs directory.
In addition, the ADFS Web Agent authentication package (ifsAp.dll) is used by Windows NT token-based applications for generating tokens when Service-for-User (S4U) is not available. Debug logging creates ifsap.log.

You can enable debug logging for each of these components in the registry on ADFS Web servers.

Administrative credentials

To complete these procedures, you must be a member of the Administrators group on the local computer.

To enable debug logging for the ADFS Token Authentication service

Open Regedit.
Navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ifssvc\Parameters
Right-click Parameters, click New, and then click DWORD Value.
In the new value file name box, type the following, and then press Enter:

DebugPrintLevel
Double-click the new entry and then, in Value data, type the following, and then click OK:

FFFFFFFF

To enable debug logging for the ADFS ISAPI extension and filter

Open Regedit.
Navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ADFS\WebServerAgent
Right-click WebServerAgent, click New, and then click DWORD Value.
In the new value file name box, type the following, and then press Enter:

DebugPrintLevel
Double-click the new entry and then, in Value data, type the following, and then click OK:

FFFFFFFF

To enable debug logging for the ADFS Web Agent authentication package (for Windows NT token-based applications)

Open Regedit.
Navigate to:

HKEY_LOCAL_MACHINE_SYSTEM\CurrentControlSet\Lsa\WebSso\ Parameters
Right-click Parameters, click New, and then click DWORD Value.
In the new value file name box, type the following, and then press Enter:

DebugLevel
Double-click the new entry and then, in Value data, type the following, and then click OK:

FFFFFFFF

Disable JavaScript

JavaScript is used to automatically redirect the client to various points, including posting tokens. When JavaScript is disabled, the automatic redirect is prevented and a submit button is displayed instead. This button allows the client to walk through each step more easily as part of troubleshooting the configuration.

Administrative credentials

To complete this procedure, you must be a member of the Users group on the local computer.

Disable JavaScript in Internet Explorer

Open Internet Explorer.
On the Tools menu, click Internet Options.
On the Security tab, click Custom Level.
Scroll to the Scripting category.
Under Active scripting, click Disable, and then click OK twice.

Enable ASP.NET Debug Output

You can generate debug output for ASP.NET files by configuring the Web.config file on the computer.

Note
Generating debug output for ASP.Net files enable clients to view server state information that could be misused by malicious users.

Administrative credentials

To complete this procedure, you must be a member of the Administrators group on the local computer.

To enable ASP.NET debug output

In Notepad, open the Web.config file in SYSTEMDRIVE\ADFS\sts.
Search for <system.web>.
Add the <compilation debug> entry under <system.web>, as follows:

< compilation debug="true" />
Save and close the Web.config file.

Configure an ASP.NET Error Page

You can configure an error page to display when ASP.NET errors prohibit the opening of a page. Use the Web.config file to configure this error page.

Administrative credentials

To complete this procedure, you must be a member of the Administrators group on the local computer.

To configure an ASP.NET error page

In Notepad, open the Web.config file in SYSTEMDRIVE\ADFS\sts.
Search for <system.web>.
Add the following entries under <system.web>:

<customErrors mode="Off" defaultRedirect="Errors.aspx">

<error statusCode="404" redirect="PageNotFound.aspx" />

</customErrors>
Save and close the Web.config file.

Understanding Default Event Logs

By default, some events are logged by ADFS components in Event Viewer. The following categories of default events provide information about successful operations that are logged in the event logs and for which you will see events in Event Viewer.

Default Events for Token-based Applications on a Web Server
Default Events for Claims-aware Applications on a Web Server
Default Auditing Events for Token-based Applications on a Federation Server
Default Auditing Events for Claims-aware Applications on a Federation Server

Default Events for Token-based Applications on a Web Server

The following types of events appear when an ADFS client successfully receives access to the requested application Web page. These events occur in an environment similar to the sample scenario presented in Verifying ADFS Computer Settings and Connectivity.

If a Web server that is running an ADFS Web Agent is able to retrieve trust information successfully from the Federation Service, the following event is generated in the Application log on the Web server:

Event Type:Information
Event Source:ADFS ISAPI Extension
Event Category:None
Event ID:101
Date:11/10/2005
Time:10:45:23 AM
User:N/A
Computer:ADFSWEB
Description:
The ADFS Web Agent for Windows NT token-based applications successfully retrieved trust information from the Federation Service.

The following event appears in the Security log on the ADFS Web server:

 
Event Type:Success Audit
Event Source:Security
Event Category:Logon/Logoff 
Event ID:540
Date:11/10/2005
Time:10:46:17 AM
User:urn:federation:adatum\adamcar@adatum.com
Computer:ADFSWEB
Description:
Successful Network Logon:
 User Name:adamcar@adatum.com
 Domain:urn:federation:adatum
 Logon ID:(0x0,0x25E31)
 Logon Type:3
 Logon Process:
 Authentication Package:IfsAp
 Workstation Name:-
 Logon GUID:-
 Caller User Name:ADFSWEB$
 Caller Domain:TREYRESEARCH0
 Caller Logon ID:(0x0,0x3E7)
 Caller Process ID: 1568
 Transited Services: -
 Source Network Address:-
 Source Port:-

In the preceding event text, Caller Process ID: 1568 is the process ifssvc.exe on the ADFS Web server.

Default Events for Claims-aware Applications on a Web Server

You will notice the following event if the ADFS Web server is able to retrieve ADFS trust information successfully from the Federation Service.

Event Type:Information
Event Source:ADFS
Event Category:None
Event ID:621
Date:11/10/2005
Time:4:09:26 PM
User:N/A
Computer:ADFSWEB
Description:
The ADFS Web Agent for claims-aware applications successfully retrieved trust information from the Federation Service. 
GUID: d977fee6-175b-4532-bc24-5ac54d137d57 
Version: 17 
Federation Service Uniform Resource Locator (URL): https://adfsresource.treyresearch.net/adfs/fs/federationserverservice.asmx 
Federation Service Uniform Resource Identifier (URI): urn:federation:treyresearch 
Federation Service Endpoint URL: https://adfsresource.treyresearch.net/adfs/ls/ 
Federation Service Domain Account: TREYRESEARCH0\ADFSRESOURCE$

You will also see the following event below in the Security log.

Event Type:Success Audit
Event Source:ADFS ASP.NET Module Auditor
Event Category:Object Access 
Event ID:560
Date:11/10/2005
Time:4:10:11 PM
User:NT AUTHORITY\NETWORK SERVICE
Computer:ADFSWEB
Description:
The client presented a valid inbound token as evidence. 
Token ID: _ad5a3694-860d-4063-95a3-3b0163fad3ca 
Identity: adamcar@adatum.com

Default Auditing Events for Token-based Applications on a Federation Server

Federation servers in the account and the resource domains log similar events in the security log if object access auditing is turned on. These events provide details about claims, including the time that the claim was presented and the requested user.

Default auditing events for a token-based application on an account federation server

The following default auditing events are logged in the Security log on the account federation server:

Event ID 500: Indicates that a token request was received by adfsaccount.
Event ID 510: Contains details of the resource token that was issued by adfsaccount.
Event ID 520: Contains details of the logon accelerator token that was issued by adfsaccount.
Event ID 550: Contains the list of claims that were retrieved from the account store.

The following sample events are generated on the federation server named adfsaccount.adatum.com, in an ADFS deployment similar to that described in Verifying ADFS Computer Settings and Connectivity.

Event ID 500:

Event Type:Success Audit
Event Source:ADFS Federation Service Auditor
Event Category:Object Access 
Event ID:500
Date:11/10/2005
Time:4:10:13 PM
User:NT AUTHORITY\SYSTEM
Computer:ADFSACCOUNT
Description:
Transaction ID: {c727f983-de98-4c88-947c-06d5f914659a} 

A token request was received directly by the Federation Service. The request for target 'urn:federation:treyresearch' was approved, and one or more tokens were issued. 
Target URI: urn:federation:treyresearch  

A resource token was issued. Depending on the audit policy, further details of this token may be written to a 510 event with the same transaction ID. 
Token ID: _952de51d-e827-41db-8332-1afa84aa51d2 
Identity: adamcar@adatum.com  

A logon accelerator was issued. Depending on the audit policy, further details of this token may be written to a 520 event with the same transaction ID. 
Token ID: _b17a22ce-96af-4a59-a885-c1252872c6ea 
Identity:   

The client did not present a logon accelerator token as evidence.  

The client presented valid credentials. Depending on the audit policy, the list of generated claims may be written to a 550 event with the same transaction ID. 
Authentication method: Windows integrated authentication 
Username: ADATUM0\adamcar

Event ID 510:

Event Type:Success Audit
Event Source:ADFS Federation Service Auditor
Event Category:Object Access 
Event ID:510
Date:11/10/2005
Time:4:10:13 PM
User:NT AUTHORITY\SYSTEM
Computer:ADFSACCOUNT
Description:
Transaction ID: {c727f983-de98-4c88-947c-06d5f914659a} 

This event contains the details of the resource token that was issued as part of the referenced transaction. 

Token ID: _952de51d-e827-41db-8332-1afa84aa51d2 
Issuer: urn:federation:adatum 
Audience: urn:federation:treyresearch 
Effective time: 11/10/2005 4:10:13 PM 
Expiration time: 11/10/2005 5:10:13 PM 
Claim source:  
Authentication methods: 
MethodTime 
urn:federation:authentication:windows2005-11-11T00:10:13Z 
UPN: adamcar@adatum.com 
Email: [Claim not present] 
Common name: [Claim not present] 
Groups: (0 sensitive values omitted) 
SharePointMapping 
Custom claims: 
NameValue 
[Custom claims not present]

Event ID 520:

Event Type:Success Audit
Event Source:ADFS Federation Service Auditor
Event Category:Object Access 
Event ID:520
Date:11/10/2005
Time:4:10:13 PM
User:NT AUTHORITY\SYSTEM
Computer:ADFSACCOUNT
Description:
Transaction ID: {c727f983-de98-4c88-947c-06d5f914659a} 

This event contains the details of the logon accelerator token that was issued as part of the referenced transaction. 

Token ID: _b17a22ce-96af-4a59-a885-c1252872c6ea 
Issuer: urn:federation:adatum 
Audience: urn:federation:adatum 
Effective time: 11/10/2005 4:10:13 PM 
Expiration time: 11/11/2005 2:10:13 AM 
Claim source: urn:federation:activedirectory 
Authentication methods: 
MethodTime 
urn:federation:authentication:windows2005-11-11T00:10:13Z 
UPN: adamcar@adatum.com 
Email: [Claim not present] 
Common name: [Claim not present] 
Groups: (0 sensitive values omitted) 
Trey SharePoint Claim 
Custom claims: 
NameValue 
[Custom claims not present]

Event ID 550:

Event Type:Success Audit
Event Source:ADFS Federation Service Auditor
Event Category:Object Access 
Event ID:550
Date:11/10/2005
Time:4:10:13 PM
User:NT AUTHORITY\SYSTEM
Computer:ADFSACCOUNT
Description:
Transaction ID: {c727f983-de98-4c88-947c-06d5f914659a} 

This event contains the list of claims that were retrieved from the account store as part of the referenced transaction. 

UPN: adamcar@adatum.com 
Email: [Claim not present] 
Common name: [Claim not present] 
Groups: (0 sensitive values omitted) 
Trey SharePoint Claim 
Custom claims: 
NameValue 
[Custom claims not present]

Default auditing events for a token-based application on a resource federation server

The following default auditing events are logged on the resource federation server:

Event ID 500: Indicates that a token request was received by adfsresource.
Event ID 510: Contains the details of the resource token that was issued by adfsresource.
Event ID 520: Contains the details of the logon accelerator token that was issued by adfsresource.
Event ID 540: Contains the details of the token that was presented by the client.

The following sample events are generated on the federation server named adfsresource.treyresearch.net, in an ADFS deployment similar to that described in Verifying ADFS Computer Settings and Connectivity.

Event ID 500:

Event Type:Success Audit
Event Source:ADFS Federation Service Auditor
Event Category:Object Access 
Event ID:500
Date:11/10/2005
Time:4:10:12 PM
User:NT AUTHORITY\SYSTEM
Computer:ADFSRESOURCE
Description:
Transaction ID: {fb4e7da3-ca0b-43ca-a0c0-42a333ce0d80} 

A token request was received directly by the Federation Service. The request for target 'https://adfsweb.treyresearch.net:8081/sampleapp/' was approved, and one or more tokens were issued. 
Target URI: https://adfsweb.treyresearch.net:8081/sampleapp/  

A resource token was issued. Depending on the audit policy, further details of this token may be written to a 510 event with the same transaction ID. 
Token ID: _ad5a3694-860d-4063-95a3-3b0163fad3ca 
Identity: adamcar@adatum.com  

A logon accelerator was issued. Depending on the audit policy, further details of this token may be written to a 520 event with the same transaction ID. 
Token ID: _ea256664-ac66-4560-9a4f-97a26bf21fa0 
Identity:   

The client did not present a logon accelerator token as evidence.  

The client presented a valid inbound token as evidence.  Depending on the audit policy, further details of this token may be written to a 540 event with the same transaction ID. 
Token issuer: urn:federation:adatum 
Token ID: _952de51d-e827-41db-8332-1afa84aa51d2 
Identity: adamcar@adatum.com 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event ID 510:

Event Type:Success Audit
Event Source:ADFS Federation Service Auditor
Event Category:Object Access 
Event ID:510
Date:11/10/2005
Time:4:10:12 PM
User:NT AUTHORITY\SYSTEM
Computer:ADFSRESOURCE
Description:
Transaction ID: {fb4e7da3-ca0b-43ca-a0c0-42a333ce0d80} 

This event contains the details of the resource token that was issued as part of the referenced transaction. 

Token ID: _ad5a3694-860d-4063-95a3-3b0163fad3ca 
Issuer: urn:federation:treyresearch 
Audience: https://adfsweb.treyresearch.net:8081/sampleapp/ 
Effective time: 11/10/2005 4:10:12 PM 
Expiration time: 11/10/2005 5:10:12 PM 
Claim source: urn:federation:adatum 
Authentication methods: 
MethodTime 
urn:federation:authentication:windows2005-11-11T00:10:13Z 
UPN: adamcar@adatum.com 
Email: [Claim not present] 
Common name: [Claim not present] 
Groups: (0 sensitive values omitted) 
[Groups not present] 
Custom claims: 
NameValue 
[Custom claims not present] 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event ID 520:

Event Type:Success Audit
Event Source:ADFS Federation Service Auditor
Event Category:Object Access 
Event ID:520
Date:11/10/2005
Time:4:10:12 PM
User:NT AUTHORITY\SYSTEM
Computer:ADFSRESOURCE
Description:
Transaction ID: {fb4e7da3-ca0b-43ca-a0c0-42a333ce0d80} 

This event contains the details of the logon accelerator token that was issued as part of the referenced transaction. 

Token ID: _ea256664-ac66-4560-9a4f-97a26bf21fa0 
Issuer: urn:federation:treyresearch 
Audience: urn:federation:treyresearch 
Effective time: 11/10/2005 4:10:12 PM 
Expiration time: 11/11/2005 2:10:12 AM 
Claim source: urn:federation:adatum 
Authentication methods: 
MethodTime 
urn:federation:authentication:windows2005-11-11T00:10:13Z 
UPN: adamcar@adatum.com 
Email: [Claim not present] 
Common name: [Claim not present] 
Groups: (0 sensitive values omitted) 
Adatum Share Point Claim 
Custom claims: 
NameValue 
[Custom claims not present] 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event ID 540:

Event Type:Success Audit
Event Source:ADFS Federation Service Auditor
Event Category:Object Access 
Event ID:540
Date:11/10/2005
Time:4:10:12 PM
User:NT AUTHORITY\SYSTEM
Computer:ADFSRESOURCE
Description:
Transaction ID: {fb4e7da3-ca0b-43ca-a0c0-42a333ce0d80} 

This event contains the details of the token that was presented by the client as part of the referenced transaction. 

Token ID: _952de51d-e827-41db-8332-1afa84aa51d2 
Issuer: urn:federation:adatum 
Audience: urn:federation:treyresearch 
Effective time: 11/10/2005 4:10:13 PM 
Expiration time: 11/10/2005 5:10:13 PM 
Claim source:  
Authentication methods: 
MethodTime 
urn:federation:authentication:windows2005-11-11T00:10:13Z 
UPN: adamcar@adatum.com 
Email: [Claim not present] 
Common name: [Claim not present] 
Groups: (0 sensitive values omitted) 
SharePointMapping 
Custom claims: 
NameValue 
[Custom claims not present]

Default Auditing Events for Claims-aware Applications on a Federation Server

A claims-aware application generates events that are similar to the events that are generated by a token-based application.