Here is a quick cheat sheet on enabling the necessary logging components for Extranet Smart Lockout and Troubleshooting ADFS Events.

ADFS Tracing/Debug Logging

1
2
3
4
5
6
7
8
9
#Enable AD FS Tracing/Debug Log

$logname = "AD FS Tracing/Debug"

#Verify if it's enabled or not

Get-WinEvent -ListLog $logname | fl IsEnabled

#Get the log object

$log = New-Object System.Diagnostics.Eventing.Reader.EventLogConfiguration $logname

#Enable the Log and save the object

$log.IsEnabled=$true

$log.SaveChanges()

ADFS Object Access Audit Policy

1
2
3
4
#check if Audit Policy is already correct

auditpol /get /subcategory:"Application Generated" /r

#set Application Generated Object Access Audit Policy

auditpol.exe /set /subcategory:"Application Generated" /failure:enable /success:enable

ADFS Audit Level

1
Set-AdfsProperties -AuditLevel Verbose

Single Script Update

Stay tuned, putting some final touches on adding secondary ADFS nodes via single script. This will be published first as I haven’t decided if a single push button script to install and configure the primary node is necessary unless you’re in haste to rebuild a failed ADFS farm.