locked
ADFS 4.0 Failed Authentication Web Logs RRS feed

  • Question

  • I have successfully migrated from ADFS 2.1 to 4.0, and am no longer able to find the web logs.  I am aware ADFS no longer utilizes IIS, so where would one find similar web access logs?

    I am specifically looking for a way to track where failed authentication attempts are coming from.  The logs provided in the Event Viewer (Event ID 364), do not provide IP information.  It just gives "The user name or password is incorrect" and the associated stack trace, which does not contain any useful information for tracking the origin of the failed attempts (unless I'm just overlooking something).

    Tuesday, November 15, 2016 4:51 PM

All replies

  • Failed authentication will show up on the ADFS server itself. Event ID 1203 (as long as the Success Audit is enabled for Object Access/Application generated):

    Log Name:      Security
    Source:        AD FS Auditing
    Date:          11/15/2016 6:35:25 PM
    Event ID:      1203
    Task Category: (3)
    Level:         Information
    Keywords:      Classic,Audit Failure
    User:          AD\svs_adfs_2016$
    Computer:      adfsv4-1.ad.piaudonn.com
    Description:
    The Federation Service failed to validate a new credential. See XML for failure details.

    Activity ID: 00000000-0000-0000-3f00-0080000000c8

    Additional Data
    XML: <?xml version="1.0" encoding="utf-16"?>
    <AuditBase xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="FreshCredentialAudit">
      <AuditType>FreshCredentials</AuditType>
      <AuditResult>Failure</AuditResult>
      <FailureType>CredentialValidationError</FailureType>
      <ErrorCode>N/A</ErrorCode>
      <ContextComponents>
        <Component xsi:type="ResourceAuditComponent">
    ...
        </Component>
        <Component xsi:type="RequestAuditComponent">
          <Server>http://adfs2016.piaudonn.com/adfs/services/trust</Server>
          <AuthProtocol>SAMLP</AuthProtocol>
          <NetworkLocation>Extranet</NetworkLocation>
          <IpAddress>142.245.184.39</IpAddress>
          <ProxyServer>adfsv4-p1</ProxyServer>
          <UserAgentString>Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko</UserAgentString>
          <Endpoint>/adfs/ls/</Endpoint>
        </Component>
    ...

    The <IpAddress>142.245.184.39</IpAddress> contains the IP address.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.


    Tuesday, November 15, 2016 6:37 PM
  • Hmm, seems closer to what we're looking for, but the Event ID 1203 does not include any UserId information.  How would one correlate that with the Event ID 342 which does include the user information?
    Tuesday, November 15, 2016 7:05 PM
  • Hum, interesting... I'll check this out...

    In the mean time, you might script something like this:

    Get-WinEvent `
        -ComputerName Localhost `
        -FilterHashtable @{LogName="AD FS/Admin";ID=342} | `
            ForEach-Object `
            {
                $correlationid = $_.ActivityId.Guid
                $time = $_.TimeCreated
                $user = $_.Properties[1].Value.Split("-")[0]
                $list = Get-WinEvent `
                    -ComputerName Localhost `
                    -LogName Security `
                    -FilterXPath "*[System[Provider[@Name='AD FS Auditing']]] and *[ EventData[ Data and (Data='$correlationid') ] ]" `
                    -ErrorAction SilentlyContinue
                if ( $list.Count -ge 1 )
                {
                    $list | `
                        ForEach-Object `
                        {
                            $ip = ( [xml] $_.Properties[1].value ).GetElementsByTagName("IpAddress")."#text"
                            $uas = ( [xml] $_.Properties[1].value ).GetElementsByTagName("UserAgentString")."#text"
                            New-Object -TypeName psobject -Property @{ Id = $correlationid ; Time = $time ; UserName = $user ; IP = $ip ; UAS= $uas }
                            
                        }
                }
            }

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, November 15, 2016 8:36 PM
  • Azure AD Connect Health has the ability to "extract" username from failed authentication attempts.
    But I think the agent is fetching some information for the security log as well, since auditing has to be activated/enabled for the Azure AD Connect Health agent to work properly if I'm not mistaken. 

    And it requires an Azure subscription as well.
    https://docs.microsoft.com/en-us/azure/active-directory/active-directory-aadconnect-health-adfs

    So it's similar to Pierre solution.

    • Edited by Jorrk Tuesday, November 15, 2016 9:10 PM
    Tuesday, November 15, 2016 8:57 PM
  • Hum, interesting... I'll check this out...

    In the mean time, you might script something like this:

    Get-WinEvent `
        -ComputerName Localhost `
        -FilterHashtable @{LogName="AD FS/Admin";ID=342} | `
            ForEach-Object `
            {
                $correlationid = $_.ActivityId.Guid
                $time = $_.TimeCreated
                $user = $_.Properties[1].Value.Split("-")[0]
                $list = Get-WinEvent `
                    -ComputerName Localhost `
                    -LogName Security `
                    -FilterXPath "*[System[Provider[@Name='AD FS Auditing']]] and *[ EventData[ Data and (Data='$correlationid') ] ]" `
                    -ErrorAction SilentlyContinue
                if ( $list.Count -ge 1 )
                {
                    $list | `
                        ForEach-Object `
                        {
                            $ip = ( [xml] $_.Properties[1].value ).GetElementsByTagName("IpAddress")."#text"
                            $uas = ( [xml] $_.Properties[1].value ).GetElementsByTagName("UserAgentString")."#text"
                            New-Object -TypeName psobject -Property @{ Id = $correlationid ; Time = $time ; UserName = $user ; IP = $ip ; UAS= $uas }
                            
                        }
                }
            }

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Well, that works nicely!  A shame that you have to play mix and match with event logs just to get some simple information though.  Might be nice to put in a feature request for AD FS Management to include some centralized access logging.
    Tuesday, November 15, 2016 9:09 PM
  • As Jorrk mentioned, you might also consider leveraging AAD Connect Health. Despite the name, it really aims at monitoring on-prem ADFS servers (and WAP). It requires AAD Premium subscription (from a license perspective, it doesn't mean that you need to sync anything).

    It show information like this for bad passwords:

    There is a few minute lag though between the moment you have the bad attempt and the moment you see it in the portal.


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Tuesday, November 15, 2016 10:36 PM