Friday, August 12, 2016

ADFS : Getting the IIS logs and event logs for ADFS 3.0

This is for ADFS on Server 2012 R2 and above since ADFS in these versions no longer runs on IIS but runs directly on HTTP.SYS.

So there was a question over on the ADFS forum around looking at the IIS logs and @Pierre replied:

Every access generates logs as long as you enabled the audit. So the information is still there, just in a different format.

Just an example:
Get-WinEvent -FilterHashtable @{LogName="Security";ID=403} | 
%{ $_.Properties.Value -join " " }

And here is the example of output:

00000000-0000-0000-9758-0080000000b3 2016-08-11 15:32:58 10.0.0.7 
  GET /adfs/Proxy/GetConfiguration - 443 10.0.0.6 - 0 - - - False -
00000000-0000-0000-662e-0080000000e1 2016-08-11 15:32:36 10.0.0.7 
  GET /adfs/Proxy/webapplicationproxy/store ?api-version=1 443 10.0.0.6 - 0 - - -  
  False - 00000000-0000-0000-652e-0080000000e1 2016-08-11 15:32:06 10.0.0.7 
  GET /adfs/Proxy/webapplication 

but that got me wondering about "Get-WinEvent". What else can you do with it?

What logs are there?

PS C:\>
PS C:\> Get-WinEvent -ListLog *

LogMode   MaximumSizeInBytes RecordCount LogName
-------   ------------------ ----------- -------
Circular             1052672         180 Active Directory Web Services
Circular            20971520       20503 Application
Circular            15532032         147 DFS Replication
Circular             1052672        1825 Directory Service
Circular           104857600         237 DNS Server
Circular            20971520           0 HardwareEvents
Circular             1052672           0 Internet Explorer
Circular            20971520           0 Key Management Service
Circular           134217728      198680 Security
Circular            20971520       30088 System
Circular             1052672           0 Windows Azure
Circular            15728640       15575 Windows PowerShell
Circular            52428800        1830 AD FS/Admin
Circular            52428800           0 DRS/Admin

... 

Hang ten! There's an ADFS log!

PS C:\> Get-WinEvent -LogName "AD FS/Admin"

   ProviderName: AD FS

TimeCreated                     Id LevelDisplayName Message
-----------                     -- ---------------- -------
8/11/2016 10:45:47 PM          415 Warning          The SSL certificate does not contain all UPN suffix values that ...
8/11/2016 10:13:19 PM          364 Error            Encountered error during federation passive request. ...
8/11/2016 10:11:57 PM          364 Error            Encountered error during federation passive request. ...
8/11/2016 10:09:22 PM          364 Error            Encountered error during federation passive request. ...
8/11/2016 9:53:13 PM           364 Error            Encountered error during federation passive request. ...


It goes on forever and most of the time I am only interested in the "Message" column (say the top 10) and I don't want it truncated. This leads to:

PS C:\> Get-WinEvent -LogName "AD FS/Admin" | Select Message -First 10 | out-string -Width 600

Message

-------

The SSL certificate does not contain all UPN suffix values that exist in the enterprise.  Users with UPN suffix values not represented in the certificate will not be able to Workplace-Join their devices.  For more information, see http:// go.microsoft.com/fwlink/?LinkId=311954.

Encountered error during federation passive request. ...

Encountered error during federation passive request. ...


...

This is the same information that you get in the Event log in ADFS.

Enjoy!

No comments: