ADFS 2016/2019 Extranet Smart Lockout Logging

Here is a quick cheat sheet on enabling the necessary logging components for Extranet Smart Lockout and Troubleshooting ADFS Events.

 

ADFS Tracing/Debug Logging


1
2
3
4
5
6
7
8
9
#Enable AD FS Tracing/Debug Log
$logname = "AD FS Tracing/Debug"
#Verify if it's enabled or not
Get-WinEvent -ListLog $logname | fl IsEnabled
#Get the log object
$log = New-Object System.Diagnostics.Eventing.Reader.EventLogConfiguration $logname
#Enable the Log and save the object
$log.IsEnabled=$true
$log.SaveChanges()

ADFS Object Access Audit Policy


1
2
3
4
#check if Audit Policy is already correct
auditpol /get /subcategory:"Application Generated" /r
#set Application Generated Object Access Audit Policy
auditpol.exe /set /subcategory:"Application Generated" /failure:enable /success:enable
ADFS Audit Level

1
Set-AdfsProperties -AuditLevel Verbose

Single Script Update

Stay tuned, putting some final touches on adding secondary ADFS nodes via single script. This will be published first as I haven’t decided if a single push button script to install and configure the primary node is necessary unless you’re in haste to rebuild a failed ADFS farm.

Leave a Reply

Your email address will not be published. Required fields are marked *