locked
How to determine which Relying party trusts are in use in ADFS 3.0 RRS feed

  • Question

  • Hello All,

    Greetings!

    I am looped into a project to decommission ADFS 3.0 farm. An important part of this project is to identify which Relying party trusts are in use. I noticed that 'Monitor relying party' option is not checked on any of the claim rules and hence not able to determine on the usage of those. 

    Could you please advise if is there any way to determine which Relying party trusts are in use on ADFS 3.0. I have checked eventlogs but couldn't find any specific events which can reveal this info. 

    Thanks in advance for your help~

    Regards

    Mayur

    Wednesday, December 20, 2017 7:57 AM

Answers

  • You have to enable the Audit log on the ADFS server to get the successful token issuance event in the log:

    1.Open Local Security Policy by opening Server Manager on the Start screen, or Server Manager in the taskbar on the desktop, then click Tools/Local Security Policy.
    2.Navigate to the Security Settings\Local Policies\User Rights Assignment folder, and then double-click Generate security audits.
    3.On the Local Security Setting tab, verify that the AD FS service account is listed. If it is not present, click Add User or Group and add it to the list, and then click OK.
    4.To enable auditing, open a command prompt with elevated privileges and run the following command: auditpol.exe /set /subcategory:"Application Generated" /failure:enable /success:enable.
    5.Close Local Security Policy, and then open the AD FS Management snap-in (in Server Manager, click Tools, and then select AD FS Management).
    6.In the Actions pane, click Edit Federation Service Properties.
    7.In the Federation Service Properties dialog box, click the Events tab.
    8.Select the Success audits and Failure audits check boxes and then click OK.
    

    Alternatively, you an deploy Azure AD Connect Health to monitor your on-premises ADFS deployment. It provides statistics: https://docs.microsoft.com/en-us/azure/active-directory/connect-health/active-directory-aadconnect-health-adfs


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by Mayur SS Thursday, December 21, 2017 10:05 AM
    Wednesday, December 20, 2017 1:53 PM

All replies

  • You have to enable the Audit log on the ADFS server to get the successful token issuance event in the log:

    1.Open Local Security Policy by opening Server Manager on the Start screen, or Server Manager in the taskbar on the desktop, then click Tools/Local Security Policy.
    2.Navigate to the Security Settings\Local Policies\User Rights Assignment folder, and then double-click Generate security audits.
    3.On the Local Security Setting tab, verify that the AD FS service account is listed. If it is not present, click Add User or Group and add it to the list, and then click OK.
    4.To enable auditing, open a command prompt with elevated privileges and run the following command: auditpol.exe /set /subcategory:"Application Generated" /failure:enable /success:enable.
    5.Close Local Security Policy, and then open the AD FS Management snap-in (in Server Manager, click Tools, and then select AD FS Management).
    6.In the Actions pane, click Edit Federation Service Properties.
    7.In the Federation Service Properties dialog box, click the Events tab.
    8.Select the Success audits and Failure audits check boxes and then click OK.
    

    Alternatively, you an deploy Azure AD Connect Health to monitor your on-premises ADFS deployment. It provides statistics: https://docs.microsoft.com/en-us/azure/active-directory/connect-health/active-directory-aadconnect-health-adfs


    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    • Marked as answer by Mayur SS Thursday, December 21, 2017 10:05 AM
    Wednesday, December 20, 2017 1:53 PM
  • Hello Pierre, 

    Perfect! Thank you for the guidance. This really helps. I'll get auditing enabled as noticed that it is not in place currently. 

    Thanks

    Mayur

    Thursday, December 21, 2017 10:05 AM