Managing Active Directory Federation Services in Server 2022

Posted on 16th June 2023

Introduction

Active Directory Federation Services (AD FS) is a feature of the Windows Server operating system that allows organizations to provide single sign-on access to their resources from any device or application. AD FS is based on the Security Assertion Markup Language (SAML) 2.0 standard and can be used to provide access to resources hosted on-premises, in the cloud, or in a hybrid environment.

AD FS Requirements

In order to use AD FS, your organization must have the following:

  • A domain controller running Windows Server 2012 or later
  • An AD FS server running Windows Server 2012 R2 or later

AD FS Management Tools

There are a number of tools that can be used to manage AD FS, including:

  • The AD FS Management Console
  • The AD FS PowerShell cmdlets
  • The AD FS WMI provider

AD FS Management Console

The AD FS Management Console is a graphical user interface (GUI) that can be used to manage AD FS. To open the AD FS Management Console, click Start, point to Administrative Tools, and then click AD FS Management.

AD FS PowerShell Cmdlets

The AD FS PowerShell cmdlets are a set of PowerShell cmdlets that can be used to manage AD FS. To use the AD FS PowerShell cmdlets, you must first install the AD FS PowerShell module. To install the AD FS PowerShell module, open a PowerShell prompt and run the following command:

Install-Module -Name Adfs

AD FS WMI Provider

The AD FS WMI provider is a set of WMI classes that can be used to manage AD FS. To use the AD FS WMI provider, you must first connect to the AD FS WMI namespace. To connect to the AD FS WMI namespace, open a PowerShell prompt and run the following command:

Get-WmiObject -Namespace rootadfs -Class *

Conclusion

AD FS is a feature of the Windows Server operating system that allows organizations to provide single sign-on access to their resources from any device or application. AD FS is based on the Security Assertion Markup Language (SAML) 2.0 standard and can be used to provide access to resources hosted on-premises, in the cloud, or in a hybrid environment.

It is still possible to use the legacy ADFS 2.0 Management Pack for Server 2012 R2 if you have not yet upgraded to ADFS 3.0. The ADFS 2.0 Management Pack can be found here.

AD FS 3.0 Management Pack

The AD FS 3.0 Management Pack for System Center 2012 R2 Operations Manager and System Center 2016 Operations Manager is designed to monitor the health and performance of an AD FS deployment. It can be used to monitor both on-premises and Azure AD FS deployments. The Management Pack can be found here.

The following table lists the management pack versions that can be used to monitor different AD FS versions:

AD FS Version Management Pack Version AD FS 3.0 3.0.0.0 AD FS on Windows Server 2012 R2 3.0.0.0 AD FS on Windows Server 2016 3.0.0.0

AD FS 3.0 Management Pack for System Center 2012 R2 Operations Manager and System Center 2016 Operations Manager

The AD FS 3.0 Management Pack for System Center 2012 R2 Operations Manager and System Center 2016 Operations Manager is designed to monitor the health and performance of an AD FS deployment. It can be used to monitor both on-premises and Azure AD FS deployments. The Management Pack can be found here.

The following table lists the management pack versions that can be used to monitor different AD FS versions:

AD FS Version Management Pack Version AD FS 3.0 3.0.0.0 AD FS on Windows Server 2012 R2 3.0.0.0 AD FS on Windows Server 2016 3.0.0.0

AD FS 4.0 Management Pack

The AD FS 4.0 Management Pack for System Center 2012 R2 Operations Manager and System Center 2016 Operations Manager is designed to monitor the health and performance of an AD FS deployment. It can be used to monitor both on-premises and Azure AD FS deployments. The Management Pack can be found here.

The following table lists the management pack versions that can be used to monitor different AD FS versions:

AD FS Version Management Pack Version AD FS 4.0 4.0.0.0 AD FS on Windows Server 2016 4.0.0.0

AD FS 4.0 Management Pack for System Center 2012 R2 Operations Manager and System Center 2016 Operations Manager

The AD FS 4.0 Management Pack for System Center 2012 R2 Operations Manager and System Center 2016 Operations Manager is designed to monitor the health and performance of an AD FS deployment. It can be used to monitor both on-premises and Azure AD FS deployments. The Management Pack can be found here.

The following table lists the management pack versions that can be used to monitor different AD FS versions:

AD FS Version Management Pack Version AD FS 4.0 4.0.0.0 AD FS on Windows Server 2016 4.0.0.0

Troubleshooting AD FS

The following section provides guidance on troubleshooting common AD FS issues.

Event Viewer

AD FS events are logged in the Application and Services LogsAD FS event log. The following table lists the most common events that are logged by AD FS and their associated Event IDs.

Event ID Level Description 364 Error The Federation Service could not authorize the incoming claim because the claim could not be mapped to a local claim. The Federation Service will continue to process the claim. 368 Error The Federation Service could not issue a token because the configuration database could not be contacted. The Federation Service will continue to process the claim. 372 Error The Federation Service could not issue a token because the security token service could not be contacted. The Federation Service will continue to process the claim. 376 Error The Federation Service could not issue a token because the account is not federated. The Federation Service will continue to process the claim. 380 Error The Federation Service could not issue a token because the user account is disabled. The Federation Service will continue to process the claim. 384 Error The Federation Service could not issue a token because the user account has been locked out. The Federation Service will continue to process the claim. 388 Error The Federation Service could not issue a token because the user account is not valid. The Federation Service will continue to process the claim. 392 Error The Federation Service could not issue a token because the user account’s password is expired. The Federation Service will continue to process the claim. 396 Error The Federation Service could not issue a token because the user account is not authorized to access the requested resource. The Federation Service will continue to process the claim.

The following table lists the most common events that are logged by the AD FS Windows service and their associated Event IDs.

Event ID Level Description 100 Error The Active Directory Federation Services service terminated unexpectedly. 101 Error The Active Directory Federation Services service terminated unexpectedly. 102 Error The Active Directory Federation Services service terminated unexpectedly. 103 Error The Active Directory Federation Services service terminated unexpectedly. 104 Error The Active Directory Federation Services service terminated unexpectedly. 105 Error The Active Directory Federation Services service terminated unexpectedly.

The following table lists the most common events that are logged by the AD FS Web Application Proxy service and their associated Event IDs.

Event ID Level Description 200 Error The Web Application Proxy could not connect to the Federation Service. 201 Error The Web Application Proxy could not connect to the Federation Service. 202 Error The Web Application Proxy could not connect to the Federation Service. 203 Error The Web Application Proxy could not connect to the Federation Service. 204 Error The Web Application Proxy could not connect to the Federation Service. 205 Error The Web Application Proxy could not connect to the Federation Service.

AD FS logs additional information to the event log when verbose logging is enabled. Verbose logging can be enabled by setting the following registry key:

HKLMSOFTWAREMicrosoftADFSDiagnosticsEnableVerbose

The following table lists the most common events that are logged when verbose logging is enabled and their associated Event IDs.

Event ID Level Description 500 Verbose The Federation Service processed a claim. 501 Verbose The Federation Service processed a claim. 502 Verbose The Federation Service processed a claim. 503 Verbose The Federation Service processed a claim. 504 Verbose The Federation Service processed a claim. 505 Verbose The Federation Service processed a claim.

Fiddler

Fiddler is a free web debugging proxy that can be used to capture HTTP traffic for troubleshooting purposes. Fiddler can be downloaded from here.

To capture HTTP traffic with Fiddler, follow these steps:

1. Install and launch Fiddler.
2. Click Tools > Fiddler Options.
3. Click the HTTPS tab.
4. Select the Capture HTTPS CONNECTs and Decrypt HTTPS traffic check boxes.
5. Click the OK button.
6. Click the Capture button to start capturing traffic.

To export the captured traffic to a file, follow these steps:

1. Click File > Save > All Sessions.
2. Select the Sessions.saz file format.
3. Click the Save button.

The exported traffic can then be viewed in a text editor such as Notepad or Microsoft Word.

Netmon

Netmon is a network monitoring tool that can be used to capture network traffic for troubleshooting purposes. Netmon can be downloaded from here.

To capture network traffic with Netmon, follow these steps:

1. Install and launch Netmon.
2. Click the Capture menu.
3. Click the Start button.
4. Click the Stop button when you have finished capturing traffic.

To export the captured traffic to a file, follow these steps:

1. Click the File menu.
2. Click the Save As menu item.
3. Enter a file name and location.
4. Click the Save button.

The exported traffic can then be viewed in a text editor such as Notepad or Microsoft Word.

WireShark

WireShark is a free and open-source network protocol analyzer that can be used to capture network traffic for troubleshooting purposes. WireShark can be downloaded from here.

To capture network traffic with WireShark, follow these steps:

1. Install and launch WireShark.
2. Click the Capture menu.
3. Click the Start button.
4. Click the Stop button when you have finished capturing traffic.

To export the captured traffic to a file, follow these steps:

1. Click the File menu.
2. Click the Save As menu item.
3. Enter a file name and location.
4. Click the Save button.

The exported traffic can then be viewed in a text editor such as Notepad or Microsoft Word.

Testing AD FS

The following section provides guidance on testing AD FS.

Test-AdfsHealth

The Test-AdfsHealth cmdlet tests the health of an AD FS deployment. The cmdlet can be used to test the following components:

– AD FS servers
– WAP servers
– Certificate revocation list (CRL) distribution points
– Domain Name System (DNS)
– Active Directory

To test the health of an AD FS deployment, follow these steps:

1. Open a PowerShell prompt.
2. Type the following command and press Enter:

Test-AdfsHealth

3. Review the output of the cmdlet.

Test-AdfsRelyingPartyTrust

The Test-AdfsRelyingPartyTrust cmdlet tests the configuration of a relying party trust.

Copyright © 2024 The Gadget Gazette