Table of contents
TOC
Collapse the table of content
Expand the table of content

Auditing Enhancements to AD FS in Windows Server 2016

Bill Mathers|Last Updated: 2/10/2017
|
2 Contributors

Applies To: Windows Server 2016

Currently, in AD FS for Windows Server 2012 R2 there are numerous audit events generated for a single request and the relevant information about a log-in or token issuance activity is either absent (in some versions of AD FS) or spread across multiple audit events. By default the AD FS audit events are turned off due to their verbose nature.
With the release of AD FS in Windows Server 2016, auditing has become more streamlined and less verbose.

Auditing levels in AD FS for Windows Server 2016

By default, AD FS in Windows Server 2016 has basic auditing enabled. With basic auditing, administrators will see 5 or less events for a single request. This marks a significant decrease in the number of events administrators have to look at, in order to see a single request. The auditing level can be raised or lowered using the PowerShell cmdlt: Set-AdfsProperties -AuditLevel. The table below explains the available auditing levels.

Audit LevelPowerShell syntaxDescription
NoneSet-AdfsProperties - AuditLevel NoneAuditing is disabled and no events will be logged.
Basic (Default)Set-AdfsProperties - AuditLevel BasicNo more than 5 events will be logged for a single request
VerboseSet-AdfsProperties - AuditLevel VerboseAll events will be logged. This will log a significant amount of information per request.

To view the current auditing level, you can use the PowerShell cmdlt: Get-AdfsProperties.

audit enhancements

The auditing level can be raised or lowered using the PowerShell cmdlt: Set-AdfsProperties -AuditLevel.

audit enhancements

Types of Audit Events

AD FS Audit Events can be of different types, based on the different types of requests processed by AD FS. Each type of Audit Event has specific data associated with it. The type of audit events can be differentiated between login requests (i.e. token requests) versus system requests (server-server calls including fetching configuration information).
The table below describes the basic types of audit events.

Audit Event TypeEvent IDDescription
Fresh Credential Validation Success1202A request where fresh credentials are validated successfully by the Federation Service. This includes WS-Trust, WS-Federation, SAML-P (first leg to generate SSO) and OAuth Authorize Endpoints.
Fresh Credential Validation Error1203A request where fresh credential validation failed on the Federation Service. This includes WS-Trust, WS-Fed, SAML-P (first leg to generate SSO) and OAuth Authorize Endpoints.
Application Token Success1200A request where a security token is issued successfully by the Federation Service. For WS-Federation, SAML-P this is logged when the request is processed with the SSO artifact. (such as the SSO cookie).
Application Token Failure1201A request where security token issuance failed on the Federation Service. For WS-Federation, SAML-P this is logged when the request was processed with the SSO artifact. (such as the SSO cookie).
Password Change Request Success1204A transaction where the password change request was successfully processed by the Federation Service.
Password Change Request Error1205A transaction where the password change request failed to be processed by the Federation Service.
System-Describes that this was a system request. For example, these are ADFS server to server request, proxy to STS requests.
Discovery-A request to Federation metadata or MEX End Points.
Sign Out Success1206Describes a successful sign-out request.
Sign Out Failure1207Describes a failed sign-out request.
Device Registration-Request for device registration service.
Resource-This includes requests for resources such as java-script, images.
Configuration-This describes a configuration request into the system. Important for admins to understand change management on a business critical request.
© 2017 Microsoft