How to Enable Debug Logging for Active Directory Federation Services 2.0 (AD FS 2.0)

How to Enable Debug Logging for Active Directory Federation Services 2.0 (AD FS 2.0)

AD FS 2.0 uses Event Tracing for Windows (ETW) for debug logging.

Configure AD FS 2.0 tracing

  1. Open the following file in a text editor:

    %ProgramFiles%\Active Directory Federation Services 2.0\Microsoft.IdentityServer.Servicehost.exe.config 
     
  2. Locate the <system.diagnostics> tag. There are two types of tracing you can enable: WIF (Windows Identity Foundation) and WCF (Windows Communication Foundation).

    WIF tracing is controlled by:

    <source name="Microsoft.IdentityModel" switchValue=logging level>
    <add name="ADFSWifListener" traceOutputOptions=output options initializeData="Wif" .......>


    WCF tracing is controlled by:

    <source name="System.ServiceModel" switchValue=logging level>
    <add name="ADFSWcfListener" traceOutputOptions=output options initializeData="Wcf" .......>


    Possible values for switchValue: Verbose, Information, Warning, Error, Critical

    Possible values for traceOutputOptions: None, LogicalOperationStack, DateTime, Timestamp, ProcessId, ThreadId, Callstack

    Example of <system.diagnostics> section with verbose logging and all output options enabled:

      <system.diagnostics>
        <sources>
          <!-- To enable WIF tracing, change the switchValue below to desired trace level - Verbose, Information, Warning, Error, Critical -->
          <!-- Set TraceOutputOptions as comma separated value of the following; ProcessId ThreadId CallStack. Specify None to not include any of the optional data-->
          <!-- NOTE THAT THE CHANGES TO THIS SECTION REQUIRES SERVICE RESTART TO TAKE EFFECT -->
          <source name="Microsoft.IdentityModel" switchValue="Verbose">
            <listeners>
              <add name="ADFSWifListener"  traceOutputOptions="ProcessId,ThreadId,Callstack" initializeData="Wif" type="Microsoft.IdentityServer.Diagnostics.ADFSTraceListener,Microsoft.IdentityServer,Version=6.1.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL" />
            </listeners>
          </source>
          <!-- To enable WCF tracing, change the switchValue below to desired trace level - Verbose, Information, Warning, Error, Critical -->
          <source name="System.ServiceModel" switchValue="Verbose" >
            <listeners>
              <add  name="ADFSWcfListener" traceOutputOptions="ProcessId,ThreadId,Callstack" initializeData="Wcf" type="Microsoft.IdentityServer.Diagnostics.ADFSTraceListener,Microsoft.IdentityServer,Version=6.1.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL" />
            </listeners>
          </source>
        </sources>  
        <trace autoflush="true" ></trace>
      </system.diagnostics>

  3. Run the following command from a command prompt:

    wevtutil sl “AD FS 2.0 Tracing/Debug” /L:5 
     
  4. Open Event Viewer, click the View menu and select Show Analytic and Debug Logs. This must be enabled for the AD FS 2.0 Tracing log to be visible. 
     
  5. Right-click the Debug log under AD FS 2.0 Tracing and select Enable Log
     
  6. Restart the AD FS 2.0 Windows Service service (adfssrv) either by right-clicking it in the Services MMC or running the following commands at a command prompt:

    net stop adfssrv
    net start adfssrv
Sort by: Published Date | Most Recent | Most Useful
Comments
  • On "Server 2008 R2":

    1. If you run "wevtutil ..." from a command ("cmd.exe") window, you will get:

    Too many arguments are specified. The parameter is incorrect."

    If you run it from PowerShell, however, it will work.

    2. You *MUST* have the ADFS debug log disabled *BEFORE* running the "wevtutil ..." command or you will get:

    ... The channel must first be disabled before performing the requested operation.

    So make sure you perform the steps in order, and disable the channel once you've finished collecting debug logs.

Page 1 of 1 (1 items)