Jorge's Quest For Knowledge!

All about Windows Server, ADDS, ADFS & FIM (It Is Just Like An Addiction, The More You Have, The More You Want To Have!)

(2013-07-08) Enabling Auditing Of Issued Claims In ADFS v2.x and ADFS v3.x

Posted by Jorge on 2013-07-08


As an Identity Provider (IdP) and/or as a Service Provider (SP) you might need to be able to audit the issued claims in security tokens. This might be especially true if you are the SP that both owns the application and the data within the application and you have federation trusts setup with business partners.

-

If you are using ADFS v2.x or ADFS v3.x and you need to enable the auditing of issued claims you can do that by performing the following steps:

  • In the ADFS Federation Service Properties enable the following event levels: Success Audits, Failure Audits. This can be achieved through:
    (By default ADFS v2.x or ADFS v3.x only records error, warning and informational events)
    • Using the ADFS MMC on the (primary) ADFS v2.x/v3.x STS server to configure the logged events
      image    image
      Figure 1: The Default Federation Service Event Recording                          Figure 2: A Custom Federation Service Event Recording (Through GUI)
      -

      OR
    • Issuing the following PowerShell commands on the (primary) ADFS v2.x/v3.x STS server (this PowerShell takes the current auditing configuration into account!):
      • For ADFS v2.0: Add-PSSnapin Microsoft.ADFS.Powershel
      • For ADFS v2.1: Import-Module ADFS
      • For ADFS v3.x: Import-Module ADFS
      • Set-ADFSProperties -LogLevel $((Get-ADFSProperties).LogLevel + "SuccessAudits" + "FailureAudits")
        image
        Figure 3: A Custom Federation Service Event Recording (Through PowerShell)
        -
  • The account that is used in the ADFS application pool must have the “Generated Security Audits” user right on every ADFS v2.x/v3.x STS server. This can be achieved through:
    • Configuring the user right mentioned within the local security policy of each ADFS v2.x/v3.x STS server
      OR
    • Configuring the user right mentioned within a GPO, link that GPO to the OU that contains the computer account of each ADFS v2.x/v3.x STS server and make sure that it only applies to the ADFS v2.x/v3.x STS servers through either group filtering or WMI filtering
  • At a minimum you must enable successes and failures for the subcategory  “Application Generated” within the category “Object Access”. This can be achieved by:
    • Issuing the following command on each ADFS v2.x/v3.x STS server:
      (This applies only to W2K8 and higher)
      • TO ENABLE: AUDITPOL /SET /SUBCATEGORY:"Application Generated" /FAILURE:ENABLE /SUCCESS:ENABLE
      • TO DISABLE: AUDITPOL /SET /SUBCATEGORY:"Application Generated" /FAILURE:DISABLE /SUCCESS:DISABLE
      • TO CHECK STATUS: AUDITPOL /GET /SUBCATEGORY:"Application Generated"
        OR
    • Configuring the main category “Object Access” to be enabled for successes and failures within a GPO, link that GPO to the OU that contains the computer account of each ADFS v2.0 STS server and make sure that it only applies to the ADFS v2.0 STS servers through either group filtering or WMI filtering. (Within GPO: Within GPO: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit Object Access)
      (This applies only W2K8)
      OR
    • Configuring the subcategory “Application Generated” within the main category “Object Access” to be enabled for successes and failures within a GPO, link that GPO to the OU that contains the computer account of each ADFS v2.x/v3.x STS server and make sure that it only applies to the ADFS v2.x/v3.x STS servers through either group filtering or WMI filtering. (Within GPO:  Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Application Generated)
      (This applies only W2K8 R2 and higher)

-

All the auditing events with regards to the claims issued can be found in the Security Event Log. If you expect a high churn of all kinds of auditing events in the security event log, you might need to centrally consolidate/store those events using a tool that is able to collect such information.

-

To get the events through PowerShell I used the following script:

$adfsSecurityEventDate = Get-Date "05-Jul-2013 20:17:02" -format "yyyy-MM-ddTHH:mm:ss.000000000Z" $adfsServer = "RFSRWDC1.ADCORP.LAB" $eventLogName = "Security" $eventFilter = "*[System/TimeCreated[@SystemTime > '" + $adfsSecurityEventDate + "']]" $adfsRelatedEvents = Get-WinEvent -ComputerName $adfsServer -LogName $eventLogName -FilterXPath $eventFilter $adfsRelatedEvents | ?{$_.Id -eq "299" -Or $_.Id -eq "500" -Or $_.Id -eq "501"} | FL Id, MachineName, LogName, TimeCreated, Message

-

When auditing is enabled an EXAMPLE of what can be auditing is shown below in the pictures.

ALL of the following events show all the claims AFTER processing the “Acceptance Transform Rules” configured on the Claims Provider Trust from where the identity, and therefore the claims, originated. The claims in the security token depend on the configured claims rules on the Claims Provider Trust.

image

Figure 4: The Federation Service Notifying A Security Token Was Issued For The ADFS STS Itself After Processing The Acceptance Transform Rules On The Claims Provider Trust

-

image

Figure 5: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

-

image

Figure 6: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

-

image

Figure 7: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

-

image

Figure 8: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

-

image

Figure 9: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

-

image

Figure 10: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

-

image

Figure 11: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

-

image

Figure 12: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

-

image

Figure 13: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

-

image

Figure 14: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

-

image

Figure 15: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

-

image

Figure 16: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

-

image

Figure 17: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

-

image

Figure 18: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

-

image

Figure 19: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

-

image

Figure 20: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

-

image

Figure 21: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

-

image

Figure 22: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

-

image

Figure 23: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

-

image

Figure 24: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

-

image

Figure 25: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

-

image

Figure 26: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

-

image

Figure 27: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

-

image

Figure 28: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

-

image

Figure 29: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

-

image

Figure 30: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

-

image

Figure 31: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

-

image

Figure 32: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

-

image

Figure 33: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

-

image

Figure 34: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

-

image

Figure 35: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust

-

ALL of the following events show all the claims AFTER processing the “Issuance Transform Rules” configured on the Relying Party. The claims in the security token depend on the configured claims rules on the Relying Party Trust

image

Figure 36: The Federation Service Notifying A Security Token Was Issued For The Relying Party After Processing The Issuance Transform Rules On The Relying Party Trust

-

image

Figure 37: The List Of Claims In The Security Token After Processing The Issuance Transform Rules On The Relying Party Trust

-

image

Figure 38: The List Of Claims In The Security Token After Processing The Issuance Transform Rules On The Relying Party Trust

-

image

Figure 39: The List Of Claims In The Security Token After Processing The Issuance Transform Rules On The Relying Party Trust

-

image

Figure 40: The List Of Claims In The Security Token After Processing The Issuance Transform Rules On The Relying Party Trust

-

image

Figure 41: The List Of Claims In The Security Token After Processing The Issuance Transform Rules On The Relying Party Trust

-

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: http://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

One Response to “(2013-07-08) Enabling Auditing Of Issued Claims In ADFS v2.x and ADFS v3.x”

  1. […] (Event Viewer –> Windows Logs) you will see something similar if you have auditing configured (see this blog post) (it may look different if you have more claims rules being processed in the Acceptance Transform […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: