Event ID 676 — Federation Service Auditing

Updated: December 3, 2008

Applies To: Windows Server 2008 R2

red

The Federation Service uses auditing to record success and failure audits, such as audits that are written when tokens are created and received.

Event Details

Product: Windows Operating System
ID: 676
Source: Microsoft-Windows-ADFS
Version: 6.1
Symbolic Name: FailureRegisteringAuditSource
Message: The AD FS auditing subsystem could not register itself with the system. An unexpected error occurred.

Additional Data
The data field contains a Win32 error code.

Resolve

Grant the Generate Security Audits privilege to the Web application AppPool identity principal

Make sure that the Web application’s AppPool identity principal is granted the Generate Security Audits privilege in Local Security Policy.

To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

To grant the AppPool identity principal the Generate Security Audits privilege:

  1. Record the name of the account that is used as the AppPool identity principal before you start the Local Security Policy snap-in. To do this, view and record the account that is specified in the Log On tab of the AD FS Web Agent Authentication Service:
    1. Click Start, point to Administrative Tools, and then click Services.
    2. In the details pane, click AD FS Web Agent Authentication Service.
  2. After you identify the account that is used as the AppPool identity principal, click Start, point to Administrative Tools, click Local Security Policy, and then double-click Local Policies.
  3. Double-click User Rights Assignment.
  4. In the details pane, right-click the Generate Security Audits setting, and then click Properties.
  5. Add the account that is specified on the Log On tab of the AD FS Web Agent Authentication Service to the setting.

Verify

To verify that Active Directory Federation Services (AD FS) is working properly, attempt to access one or more federated applications from a client computer, and then check the Event Viewer logs on the federation server to make sure that AD FS is operational:

To perform these procedures, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

To verify that Active Directory Federation Services (AD FS) is working properly:

  1. Log on to a federation server, and then open Event Viewer.
  2. Click Security, and then check to see if there are any Success or Failure audits that might indicate whether the client authentication or authorization request to the federated application was successful or not.

    If no security events are recorded, check to see whether all federation servers that participate in this federated partnership have been configured to record security audits. To do this, you have to manually configure the Local Security Policy and enable the event log for the federation servers, using the following steps.

    Note: You must apply each of these steps to all of the federation servers before you enable success or failure auditing in the Trust Policy properties of the Active Directory Federation Services snap-in. This will make it possible for the Federation Service to log either success or failure errors.

    1. Click Start, point to Administrative Tools, and then click Local Security Policy.
    2. Double-click Local Policies, and then click Audit Policy.
    3. In the details pane, double-click Audit object access.
    4. On the Audit object access Properties page, select either Success or Failure, or both, and then click OK.
    5. Close the Local Security Settings snap-in.
    6. At a command prompt, type gpupdate /force, and then press ENTER to immediately refresh the local policy.
    7. Repeat these steps on each of the federation servers in the partnership.
    8. Enable event logging for the federation server. Click Start, point to Administrative Tools, and then click Active Directory Federation Services.
    9. Right-click the Trust Policy node, and then click Properties.
    10. Scroll to the Event Log tab.
    11. Under Event log level, click to select and deselect the specific type of application event logs that you want to record, and then click OK.

You can also check the Application log on the AD FS-enabled Web server for more details.

To check the Application log:

  1. Log on to an AD FS-enabled Web server, and then open Event Viewer.
  2. Click Application, and then check to see whether the Web server displays any Information or Error events that were recorded by the federated application.

Related Management Information

Federation Service Auditing

Active Directory Federation Services

Community Additions

ADD
Show: