Jorge's Quest For Knowledge!

All about Windows Server, ADDS, ADFS & FIM (It Is Just Like An Addiction, The More You Have, The More You Want To Have!)

(2013-07-08) Enabling Auditing Of Issued Claims In ADFS v1.0 and ADFS v1.1

Posted by Jorge on 2013-07-08


As an Identity Provider (IdP) and/or as a Service Provider (SP) you might need to be able to audit the issued claims in security tokens. This might be especially true if you are the SP that both owns the application and the data within the application and you have federation trusts setup with business partners.

-

If you are still using ADFS v1.x and you need to enable the auditing of issued claims you can do that by performing the following steps:

  • In the ADFS Trust Policy enable the following event levels: Success Audit, Failure Audit, Detailed Success, Detailed Failure
  • The account that is used in the ADFS application pool must have the “Generated Security Audits” user right on every ADFS v1.x STS server. This can be achieved through:
    • Configuring the user right mentioned within the local security policy of each ADFS v1.x STS server
      OR
    • Configuring the user right mentioned within a GPO, link that GPO to the OU that contains the computer account of each ADFS v1.x STS server and make sure that it only applies to the ADFS v1.x STS servers through either group filtering or WMI filtering
  • At a minimum you must enable successes and failures for the subcategory  “Application Generated” within the category “Object Access”. This can be achieved by:
    • Issuing the following command on each ADFS v1.x STS server: AUDITPOL /SET /SUBCATEGORY:"Application Generated" /FAILURE:ENABLE /SUCCESS:ENABLE
      (This applies only to W2K8 and higher)
      OR
    • Configuring the main category “Object Access” to be enabled for successes and failures within a GPO, link that GPO to the OU that contains the computer account of each ADFS v1.x STS server and make sure that it only applies to the ADFS v1.x STS servers through either group filtering or WMI filtering. (Within GPO: Within GPO: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit Object Access)
      (This applies only W2K3 and W2K8)
    • Configuring the subcategory “Application Generated” within the main category “Object Access” to be enabled for successes and failures within a GPO, link that GPO to the OU that contains the computer account of each ADFS v1.x STS server and make sure that it only applies to the ADFS v1.x STS servers through either group filtering or WMI filtering. (Within GPO:  Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Application Generated)
      (This applies only W2K8 R2)

-

All the auditing events with regards to the claims issued can be found in the Security Event Log. If you expect a high churn of all kinds of auditing events in the security event log, you might need to centrally consolidate/store those events using a tool that is able to collect such information.

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
http://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

About these ads

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: