As an Identity Provider (IdP) and/or as a Service Provider (SP) you might need to be able to audit the issued claims in security tokens. This might be especially true if you are the SP that both owns the application and the data within the application and you have federation trusts setup with business partners.
–
If you are using ADFS v2.x or ADFS v3.x and you need to enable the auditing of issued claims you can do that by performing the following steps:
- In the ADFS Federation Service Properties enable the following event levels: Success Audits, Failure Audits. This can be achieved through:
(By default ADFS v2.x or ADFS v3.x only records error, warning and informational events)- Using the ADFS MMC on the (primary) ADFS v2.x/v3.x STS server to configure the logged events
Figure 1: The Default Federation Service Event Recording Figure 2: A Custom Federation Service Event Recording (Through GUI)
–
OR - Issuing the following PowerShell commands on the (primary) ADFS v2.x/v3.x STS server (this PowerShell takes the current auditing configuration into account!):
- For ADFS v2.0: Add-PSSnapin Microsoft.ADFS.Powershel
- For ADFS v2.1: Import-Module ADFS
- For ADFS v3.x: Import-Module ADFS
- Set-ADFSProperties -LogLevel $((Get-ADFSProperties).LogLevel + "SuccessAudits" + "FailureAudits")
Figure 3: A Custom Federation Service Event Recording (Through PowerShell)
–
- Using the ADFS MMC on the (primary) ADFS v2.x/v3.x STS server to configure the logged events
- The account that is used in the ADFS application pool must have the “Generated Security Audits” user right on every ADFS v2.x/v3.x STS server. This can be achieved through:
- Configuring the user right mentioned within the local security policy of each ADFS v2.x/v3.x STS server
OR - Configuring the user right mentioned within a GPO, link that GPO to the OU that contains the computer account of each ADFS v2.x/v3.x STS server and make sure that it only applies to the ADFS v2.x/v3.x STS servers through either group filtering or WMI filtering
- Configuring the user right mentioned within the local security policy of each ADFS v2.x/v3.x STS server
- At a minimum you must enable successes and failures for the subcategory “Application Generated” within the category “Object Access”. This can be achieved by:
- Issuing the following command on each ADFS v2.x/v3.x STS server:
(This applies only to W2K8 and higher)- TO ENABLE: AUDITPOL /SET /SUBCATEGORY:"Application Generated" /FAILURE:ENABLE /SUCCESS:ENABLE
- TO DISABLE: AUDITPOL /SET /SUBCATEGORY:"Application Generated" /FAILURE:DISABLE /SUCCESS:DISABLE
- TO CHECK STATUS: AUDITPOL /GET /SUBCATEGORY:"Application Generated"
OR
- Configuring the main category “Object Access” to be enabled for successes and failures within a GPO, link that GPO to the OU that contains the computer account of each ADFS v2.0 STS server and make sure that it only applies to the ADFS v2.0 STS servers through either group filtering or WMI filtering. (Within GPO: Within GPO: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit Object Access)
(This applies only W2K8)
OR - Configuring the subcategory “Application Generated” within the main category “Object Access” to be enabled for successes and failures within a GPO, link that GPO to the OU that contains the computer account of each ADFS v2.x/v3.x STS server and make sure that it only applies to the ADFS v2.x/v3.x STS servers through either group filtering or WMI filtering. (Within GPO: Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Object Access\Audit Application Generated)
(This applies only W2K8 R2 and higher)
- Issuing the following command on each ADFS v2.x/v3.x STS server:
–
All the auditing events with regards to the claims issued can be found in the Security Event Log. If you expect a high churn of all kinds of auditing events in the security event log, you might need to centrally consolidate/store those events using a tool that is able to collect such information.
–
To get the events through PowerShell I used the following script:
$adfsSecurityEventDate = Get-Date "05-Jul-2013 20:17:02" -format "yyyy-MM-ddTHH:mm:ss.000000000Z" $adfsServer = "RFSRWDC1.ADCORP.LAB" $eventLogName = "Security" $eventFilter = "*[System/TimeCreated[@SystemTime > '" + $adfsSecurityEventDate + "']]" $adfsRelatedEvents = Get-WinEvent -ComputerName $adfsServer -LogName $eventLogName -FilterXPath $eventFilter $adfsRelatedEvents | ?{$_.Id -eq "299" -Or $_.Id -eq "500" -Or $_.Id -eq "501"} | FL Id, MachineName, LogName, TimeCreated, Message
–
When auditing is enabled an EXAMPLE of what can be auditing is shown below in the pictures.
ALL of the following events show all the claims AFTER processing the “Acceptance Transform Rules” configured on the Claims Provider Trust from where the identity, and therefore the claims, originated. The claims in the security token depend on the configured claims rules on the Claims Provider Trust.
Figure 4: The Federation Service Notifying A Security Token Was Issued For The ADFS STS Itself After Processing The Acceptance Transform Rules On The Claims Provider Trust
–
Figure 5: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust
–
Figure 6: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust
–
Figure 7: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust
–
Figure 8: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust
–
Figure 9: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust
–
Figure 10: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust
–
Figure 11: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust
–
Figure 12: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust
–
Figure 13: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust
–
Figure 14: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust
–
Figure 15: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust
–
Figure 16: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust
–
Figure 17: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust
–
Figure 18: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust
–
Figure 19: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust
–
Figure 20: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust
–
Figure 21: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust
–
Figure 22: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust
–
Figure 23: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust
–
Figure 24: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust
–
Figure 25: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust
–
Figure 26: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust
–
Figure 27: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust
–
Figure 28: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust
–
Figure 29: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust
–
Figure 30: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust
–
Figure 31: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust
–
Figure 32: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust
–
Figure 33: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust
–
Figure 34: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust
–
Figure 35: The List Of Claims In The Security Token After Processing The Acceptance Transform Rules On The Claims Provider Trust
–
ALL of the following events show all the claims AFTER processing the “Issuance Transform Rules” configured on the Relying Party. The claims in the security token depend on the configured claims rules on the Relying Party Trust
Figure 36: The Federation Service Notifying A Security Token Was Issued For The Relying Party After Processing The Issuance Transform Rules On The Relying Party Trust
–
Figure 37: The List Of Claims In The Security Token After Processing The Issuance Transform Rules On The Relying Party Trust
–
Figure 38: The List Of Claims In The Security Token After Processing The Issuance Transform Rules On The Relying Party Trust
–
Figure 39: The List Of Claims In The Security Token After Processing The Issuance Transform Rules On The Relying Party Trust
–
Figure 40: The List Of Claims In The Security Token After Processing The Issuance Transform Rules On The Relying Party Trust
–
Figure 41: The List Of Claims In The Security Token After Processing The Issuance Transform Rules On The Relying Party Trust
–
Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————
Jorge's Quest For Knowledge! 