Event ID 125 — Windows NT Token-Based Application Auditing

Updated: February 27, 2008

Applies To: Windows Server 2008

red

Audit events are written to the audit log during the auditing process. The Windows token-based agent records Success and Failure audits, such as the state of the AD FS Web Agent Authentication Service.

Event Details

Product: Windows Operating System
ID: 125
Source: Microsoft-Windows-ADFS
Version: 6.0
Symbolic Name: SSO_AUDIT_PRIVILEGE_NOT_HELD_FAILURE
Message: The AD FS Web Agent Authentication Service could not start. The authentication service has not been configured to run as a principal that has been granted the "Generate Security Audits" privilege (SeAuditPrivilege).

Users will not be able to access protected resources until the authentication service can be restarted.

User Action
Either grant the AD FS authentication service principal the "Generate Security Audits" privilege or configure the authentication service to run as a principal that has already been granted the "Generate Security Audits" privilege. (For example, configure the authentication service to run as LocalSystem.)

Resolve

Grant the AD FS Authentication Service the Generate Security Audits privilege

Active Directory Federation Services (AD FS) components that write audits must be configured to run as LocalSystem, NetworkService, or a domain principal account that has been granted the Generate Security Audits privilege (SeAuditPrivilege) explicitly.

Either grant the AD FS Authentication Service principal account the Generate Security Audits privilege in Local Security Policy or configure the authentication service to run as a domain principal that has already been granted the Generate Security Audits privilege. For example, configure the authentication service to run as LocalSystem.

To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

To configure the AD FS Web Agent Authentication Service to run as LocalSystem, NetworkService, or a custom domain principal account:

  1. On the AD FS-enabled Web server, click Start, point to Administrative Tools, and then click Services.
  2. Right-click AD FS Web Agent Authentication Service, and then click Properties.
  3. On the Log On tab, do one of the following, depending on the type of account that you want to assign, and then click OK:
    • Click Local System account.
    • Click This account, and then type a domain principal account name and password for an account that has been granted the Generate Security Audits privilege.

Verify

Verify that the principal account specified in the properties of the AD FS Authentication Service has been granted the Generate Security Audits privilege in Local Security Policy.

To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

To verify that the Generate Security Audits privilege has been granted to the principal account specified in the AD FS Authentication Service:

  1. On the AD FS-enabled Web server, click Start, point to Administrative Tools, and then click Services.
  2. Right-click AD FS Web Agent Authentication Service, and then click Properties. Record the name of the account that is used as the principal account before you start the Local Security Policy snap-in.
  3. After you identify this account, click Start, point to Administrative Tools, click Local Security Policy, and then double-click Local Policies.
  4. Double-click User Rights Assignment.
  5. In the details pane, right-click Generate Security Audits, and then click Properties.
  6. Verify that the principal account you recorded is present in the list.

Related Management Information

Windows NT Token-Based Application Auditing

Active Directory Federation Services

Community Additions

ADD
Show: