Back

Configuring ADFS Servers for Auditing User Logon Events

Below is the information needed for auditing success and failure logon events in an ADFS Server Farm Check out our Identity Cloud Solutionsservi...

2 min read
Published on Mar 5, 2013
Configuring ADFS Servers for Auditing User Logon Events

Below is the information needed for auditing success and failure logon events in an ADFS Server Farm (Check out our Identity Cloud Solutions for additional consulting help)

Configure ADFS Event Logging

You can configure event logging on federation servers, federation server proxies, and Web servers. ADFS events are logged in the Application event log and the Security event log.

Configure ADFS Event Logging - 1

Configure ADFS Event Logging - 2

Configure ADFS Event Logging - 3Important

You must turn on audit object access at each of the federation servers, for ADFS-related audits to appear in the Security log. This will allow the Federation Service to log either success or failure errors. For more information about how to turn on audit object access, see Audit object access (https://go.microsoft.com/fwlink/?LinkId=62686).

Default Events for Claims-aware Applications on a Web Server

You will notice the following event if the ADFS Web server is able to retrieve ADFS trust information successfully from the Federation Service.

Event Type

Event Source

Event Category

Event ID:621

Date:11/10/2005

Time:4:09:26 PM

User

/A

Computer

Description:

The ADFS Web Agent for claims-aware applications successfully retrieved trust information from the Federation Service.

GUID: d977fee6-175b-4532-bc24-5ac54d137d57

Version: 17

Federation Service Uniform Resource Locator (URL): https://adfsresource.treyresearch.net/adfs/fs/federationserverservice.asmx

Federation Service Uniform Resource Identifier (URI): urn:federation

Federation Service Endpoint URL: https://adfsresource.treyresearch.net/adfs/ls/

Federation Service Domain Account: TREYRESEARCH0ADFSRESOURCE$

You will also see the following event below in the Security log.

Event Type

Audit

Event Source

ASP.NET Module Auditor

Event Category

Access

Event ID:560

Date:11/10/2005

Time:4:10:11 PM

User

AUTHORITYNETWORK SERVICE

Computer

Description:

The client presented a valid inbound token as evidence.

Token ID: _ad5a3694-860d-4063-95a3-3b0163fad3ca

Identity: [email protected]

Read more https://technet.microsoft.com/en-us/library/cc738766(v=WS.10).aspx Please check us out for your Managed Service or Cloud Consulting needs.

This post has matured and its content may no longer be relevant beyond historical reference. To see the most current information on a given topic, click on the associated category or tag.

Related Posts

GCC High Licensing and Validation Challenges

Common Challenges in GCC High Licensing and Validation

Uncover common challenges in Microsoft GCC High licensing and validation, including eligibility issues, documentation gaps, and partner approval hurdles.

Sep 16, 2025
7 min read
Microsoft GCC High Validation Steps Explained

Navigating the Microsoft GCC High Validation Steps

Explore the step-by-step process for Microsoft GCC High validation, including eligibility, documentation, and how to secure access for CMMC and DFARS compliance.

Sep 15, 2025
7 min read
GCC High Licensing Requirements for Small Businesses

GCC High Licensing Requirements for Small Businesses

Learn the licensing requirements for small businesses seeking Microsoft 365 GCC High, including minimum user counts, eligibility, and steps for purchasing secure cloud licenses.

Sep 12, 2025
7 min read
GCC vs. GCC High: CMMC Ain’t Just Some Box to Check

GCC vs. GCC High: CMMC Ain’t Just Some Box to Check

Think GCC is “close enough” for CMMC Level 2? Think again. We break down GCC vs. GCC High and why compliance isn’t just a licensing checkbox.

Sep 12, 2025
6 min read
Microsoft 365 and Azure Backup Challenges

Common Challenges in Backing Up Data in Microsoft 365 and Azure

Explore common challenges in backing up Microsoft 365 and Azure data, from compliance gaps to recovery limitations, and how to overcome them.

Sep 12, 2025
5 min read
Cloud Solutions for FAR CUI Compliance with FedRAMP

How Cloud Solutions Support FAR CUI Compliance with FedRAMP

Discover how cloud solutions help meet FAR CUI compliance with FedRAMP. Learn about security standards, cloud service providers, and government-approved solutions for protecting Controlled Unclassified Information (CUI).

Sep 11, 2025
5 min read

Ready to Secure and Defend Your Data
So Your Business Can Thrive?

Fill out the form to see how we can protect your data and help your business grow.

Loading...
Secure. Defend. Thrive.

Let's start a conversation

Discover more about Agile IT's range of services by reaching out.

Don't want to wait for us to get back to you?

Schedule a Free Consultation

Location

Agile IT Headquarters
4660 La Jolla Village Drive #100
San Diego, CA 92122

Secure. Defend. Thrive.

Don't want to wait for us to get back to you?

Discover more about Agile IT's range of services by reaching out

Schedule a Free Consultation