ADFS Auditing Configuration on Windows Server

Updated Sep 19, 2023

NXLog for auditing ADFS

Active Directory Federation Services (ADFS) is a software component that can run on Windows Server operating systems to provide users with single sign-on (SSO) access to systems and applications located across organizational boundaries. This page explains how to enable auditing for ADFS, and how to send audit logs to Arctic Wolf using NXLog.

The following operating systems are supported:

PowerShell commands for auditing ADFS

By default, basic auditing is enabled for ADFS. However, there are some basic PowerShell commands you can run to adjust the level of auditing for ADFS:

Command Description
Set-AdfsProperties -AuditLevel Basic Log no more than five events for a single request.
Set-AdfsProperties -AuditLevel None Do not log audit events.
Set-AdfsProperties -AuditLevel Verbose Log a significant number of events.
Get-AdfsProperties View and/or verify the current auditing level.
Set-AdfsProperties -EnableExtranetLockout $true -ExtranetLockoutThreshold 8 -ExtranetObservationWindow (new-timespan -Minutes 15) Turn on Extranet Lockout.
Set-AdfsProperties -AddBannedIps "1.2.3.4", "::3", "1.2.3.4/16" Add block IP addresses to ADFS.
Set-AdfsProperties -LogLevel `
((Get-AdfsProperties).LogLevel+'SuccessAudits','FailureAudits')
Use the Windows Internal Database (WID) as the storage method for the ADFS configuration database. Note: You must run these commands on the primary ADFS server.

ADFS audit configuration in Group Policy

Based on Microsoft best practices, all Group Policy Objects (GPOs) that apply to ADFS servers should only apply to them and not other servers as well. See Arctic Wolf Group Policy Object Advanced Audit Policy for a starting point. Note, however, that some items do not apply if the ADFS server is not also a domain controller (DC).

Enable the ADFS service account

The ADFS service account is disabled by default.

Note: Events from the auditing levels above the service account are independent of the default options on the Events tab of the ADFS properties.

  1. Click Start, and then select Programs > Administrative Tools > Local Security Policy.

    Tip: Microsoft recommends using the Local Security Policy application for this process.

  2. Navigate to the Security Settings\Local Policies\User Rights Assignment folder, and then double-click Generate security audits.

  3. On the Local Security Setting tab, verify that the ADFS service account is listed. If it is:

    • Not present — Click Add User or Group and then add it to the list. Click OK.
    • Present — Proceed to the next step.
  4. Open a command prompt with elevated privileges and run this command to enable auditing:

    auditpol.exe /set /subcategory:"Application Generated" /failure:enable /success:enable
  5. Close the Local Security Policy window.

  6. Click Start, and then select Programs > Administrative Tools > ADFS Management to open the ADFS Management snap-in.

  7. In the Actions pane, click Edit Federation Service Properties.

  8. In the Federation Service Properties dialog, click the Events tab.

  9. Select Success audits and Failure audits, and then click OK.

    Note: We recommend enabling Success audits and Failure audits on the ADFS Farm. To enable this, you must enable auditing using the Local Security Policy MMC snap-in.

ADFS logs for troubleshooting

These are the primary logs used for ADFS troubleshooting:

Send ADFS logs to Arctic Wolf

  1. Confirm that NXLog is installed on ADFS servers. See NXLog installation and version updates for more information.

  2. Confirm that the nxlog.conf file for the Arctic Wolf Sensor, including Virtual Log Collectors (vLCs) or Virtual Sensors (vSensors), are installed in the same local area network.

    Tip: The standard Arctic Wolf nxlog.conf file configuration used on your domain controller works for this process.

  3. Confirm that NXLog is started.