Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

 

How to enable Active Directory Federation Services auditing

Most organizations have users that need to use on-premises applications as well as third-party cloud applications. ADFS makes this easier by integrating the authentication process between Active Directory and the various applications. With ADFS, users only need to sign in once with their Active Directory credentials to be signed in on to all the other applications, for a specific period of time. This also means if a malicious user gets hold of just a single set of credentials, it puts the whole network and the third-party applications at risk. Therefore ADFS has to be constantly and thoroughly audited. Using native AD tools, this task becomes complicated as an admin will have to go through numerous logs to find any entry that might be a cause for concern.

ADAdudit Plus, on the other hand, can make this task a lot easier. It is a real-time Active Directory auditing and reporting tool that has a special section for ADFS auditing. It audits the ADFS logons, extranet lockouts, and so on. It also alerts the admins in real time if it detects anything suspicious.

Here is a comparison of the auditing process using native AD tools and ADAudit Plus. Enabling Audit Policy is the first step in the process and is common to both methods.

Download for Free
Free, fully functional 30-day trial

  • With Native AD Auditing

  • With ADAudit Plus

  • Step 1: Enable Audit Policy

  • Open Server Manager on your Windows server.

  • Under the Manage tab,click on Group Policy Management to open the Group Policy Management Console.

  • Navigate to Forest >Domain >Your Domain >Domain Controllers.

  • You can choose to either edit an existing group policy object or create a new one.

  • In the Group Policy Editor, navigate to Computer Configuration >Windows Settings >Security Settings >Advanced Audit Policy Configuration.

  • Expand the node and navigate to Audit Policy >Object Access and then configure Audit Application Generated. Enable it for both 'Success' and 'Failure'.

  • Step 2: Configure auditing for ADFS in the ADFS Management snap-in

  • To open ADFS Management snap-in, navigate to Programs >Administrative Tools > ADFS Management

  • Click on Actions and then select Edit Federation Service Properties.

  • In the dialog box that opens, click on the Events tab. Enable it for Success and Failure.

  • In ADAudit Plus

    • ADAudit Plus can perform auditing efficiently by generating multiple reports on ADFS. To access them, open the ADAudit Plus console, find the Reports tab at the top and navigate to ADFS Auditing. Here you can generate multiple reports, on ADFS, such as Logon success, Logon Failures and so on. Here is a sample report:

  • in-adaudit-plus-logon-success
  • Step 1: Enable Audit Policy

  • Open Server Manager on your Windows server.

  • Under the Manage tab,click on Group Policy Management to open the Group Policy Management Console.

  • Navigate to Forest >Domain >Your Domain >Domain Controllers.

  • You can choose to either edit an existing group policy object or create a new one.

  • In the Group Policy Editor, navigate to Computer Configuration >Windows Settings >Security Settings >Advanced Audit Policy Configuration.

  • Expand the node and navigate to Audit Policy >Object Access and then configure Audit Application Generated. Enable it for both 'Success' and 'Failure'.

    how-to-enable-active-directory-federation-services-auditing

    • [Highlight policies, windows settings, security settings, Advanced audit policy, audit policy, object access and audit application generated]

  • Step 2: Configure auditing for ADFS in the ADFS Management snap-in

  • To open ADFS Management snap-in, navigate to Programs >Administrative Tools > ADFS Management

  • Click on Actions and then select Edit Federation Service Properties.

  • In the dialog box that opens, click on the Events tab. Enable it for Success and Failure.

  • In native AD
  • Step 3: Use event viewer to find the events associated with ADFS

    • Event Viewer records all the events connected to the objects in Active Directory that have been enabled for auditing with unique event IDs.

    To view the events, open Windows Event Viewer and navigate to Windows Logs > Security and look for events IDs 1200 (Application Token Success), 1201 (Application Token Failure), 1202 (Fresh credential validation success), 1203 (Fresh Credential Validation Error), 1204 (Password Change Request Success), 1205 (Password Change Request Error), 1206 (Sign Out Success), 1207 (Sign Out Failure).

Native auditing becoming a little too much?

Simplify Active Directory auditing and reporting with ADAudit Plus.

Get Your Free Trial Fully functional 30-day trial

Related How-tos

Request 1-on-1 demo

  •  
  •  
  •  
  •  
  •  
  • -Select-
  • By clicking 'Submit' you agree to processing of personal data according to the Privacy Policy.

Thanks

One of our solution experts will get in touch with you shortly.

ADAudit Plus Trusted By

Meet all auditing and IT security needs with ADAudit Plus.

  • Active Directory
  • File servers
  • Windows server
  • Workstation
  • Compliance
  • Related Products

A single pane of glass for complete Active Directory Auditing and Reporting

Free Trial Get Quote
Email Download Link