Federation Service Auditing

Applies To: Windows Server 2008

The Federation Service uses auditing to record success and failure audits, such as audits that are written when tokens are created and received.

Events

Event ID Source Message

675

Microsoft-Windows-ADFS

The AD FS auditing subsystem could not register itself with the system. The auditing privilege is not held.

The AD FS component will not be able to start unless it is granted the auditing privilege.

User Action
AD FS components that write audits must be configured to run as LocalSystem, NetworkService, or a domain principal that has explicitly been granted the "Generate Security Audits" privilege (SeAuditPrivilege).

If the failing component is the Federation Service, configure the application pool (ADFSAppPool) to run as an appropriate principal.

If the failing component is the AD FS Web Agent Authentication Service, configure the Windows NT service to run as an appropriate principal.

If the failing component is the AD FS Web Agent for claims-aware applications, configure the application pool for the protected application to run as an appropriate principal.

676

Microsoft-Windows-ADFS

The AD FS auditing subsystem could not register itself with the system. An unexpected error occurred.

Additional Data
The data field contains a Win32 error code.

677

Microsoft-Windows-ADFS

The AD FS auditing subsystem failed to write an audit event. An unexpected error ocurred.

Additional Data
The data field contains a Win32 error code.

10100

Microsoft-Windows-ADFS

Transaction ID: %1

Summary
%2
Proxy certificate thumbprint: %3
Target URI: %4
Exception information: %5

Output Resource Token
%6
Token ID: %7
Identity: %8

Output Logon Accelerator Token
%9
Token ID: %10
Identity: %11

Input Logon Accelerator Token
%12
Token ID: %13
Identity: %14

Input Federation Token
%15
Token ID: %16
Identity: %17

Input Credentials
%18
Credential type: %19
Credential hint: %20
Account store URI: %21
Error code: %22
Error string: %23

10230

Microsoft-Windows-ADFS

Transaction ID: %1

This event contains details of the errors encountered while processing the input logon accelerator token that was received as part of the referenced transaction.

%2
Token ID: %3
Issuer: %4
Identity: %5
Audience: %6
Key identifier: %7
Validation time: %8 %9
Effective time: %10 %11
Expiration time: %12 %13
Error code: %14

10240

Microsoft-Windows-ADFS

Transaction ID: %1

This event contains details of the errors encountered while processing the input federation token that was received as part of the referenced transaction.

%2
Token ID: %3
Issuer: %4
Identity: %5
Audience: %6
Key identifier: %7
Validation time: %8 %9
Effective time: %10 %11
Expiration time: %12 %13
Error code: %14

10510

Microsoft-Windows-ADFS

Transaction ID: %1

This event contains the details of the output resource token that was issued as part of the referenced transaction.

Token ID: %2
Issuer: %3
Audience: %4
Effective time: %5 %6
Expiration time: %7 %8
Claim source: %9
Authentication methods:
Method%t%tTime
%10
UPN: %11
E-mail: %12
Common name: %13
Groups: (%14 sensitive values omitted)
%15
Custom claims:
Name%t%tValue
%16
SIDs:
%17

10520

Microsoft-Windows-ADFS

Transaction ID: %1

This event contains the details of the output logon accelerator token that was issued as part of the referenced transaction.

Token ID: %2
Issuer: %3
Audience: %4
Effective time: %5 %6
Expiration time: %7 %8
Claim source: %9
Authentication methods:
Method%t%tTime
%10
UPN: %11
E-mail: %12
Common name: %13
Groups: (%14 sensitive values omitted)
%15
Custom claims:
Name%t%tValue
%16
SIDs:
%17

10530

Microsoft-Windows-ADFS

Transaction ID: %1

This event contains the details of the input logon accelerator token that was received as part of the referenced transaction.

Token ID: %2
Issuer: %3
Audience: %4
Effective time: %5 %6
Expiration time: %7 %8
Claim source: %9
Authentication methods:
Method%t%tTime
%10
UPN: %11
E-mail: %12
Common name: %13
Groups: (%14 sensitive values omitted)
%15
Custom claims:
Name%t%tValue
%16
SIDs:
%17

10540

Microsoft-Windows-ADFS

Transaction ID: %1

This event contains the details of the input federation token that was received as part of the referenced transaction.

Token ID: %2
Issuer: %3
Audience: %4
Effective time: %5 %6
Expiration time: %7 %8
Claim source: %9
Authentication methods:
Method%t%tTime
%10
UPN: %11
E-mail: %12
Common name: %13
Groups: (%14 sensitive values omitted)
%15
Custom claims:
Name%t%tValue
%16
SIDs:
%17

10550

Microsoft-Windows-ADFS

Transaction ID: %1

This event contains the list of claims that were retrieved using the input credentials that were received as part of the referenced transaction.

UPN: %2
E-mail: %3
Common name: %4
Groups: (%5 sensitive values omitted)
%6
Custom claims:
Name%t%tValue
%7
SIDs: %8

Federation Service

Active Directory Federation Services