6.2 Configuring Windows Active Directory Federation Services Monitoring

Change Guardian monitors the following in Active Directory Federation Services (ADFS):

  • Application token failure/success

  • Fresh credential validation success/failure

  • Password change request success/failure

6.2.1 Configuring ADFS Auditing

Configure ADFS auditing to enable logging of ADFS events in the security event log

To configure ADFS auditing:

  1. Log in as an administrator in the domain that you want to configure.

  2. Open Group Policy Management Console. Run gpmc.msc using command prompt.

  3. Click Forest > Domains > Domain Name > Domain Controllers.

  4. Right-click Default Domain Controllers Policy and select Edit.

    NOTE:Changing the default domain controllers policy is important because a GPO linked to the domain controller (DC) organizational unit (OU) with a higher link order can override this configuration when you restart the computer or run gpUpdate again. If your corporate standards do not allow you to modify the default domain controllers policy, create a GPO for your Change Guardian settings, add these settings to the GPO, and set it to have the highest link order in the Domain Controllers OU.

  5. Click Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies.

  6. To configure ADFS auditing under Object Access, select the following for Audit Application Generated: Configure the following audit events, Success, and Failure.

  7. To update policy settings, run the gpUpdate command at the command prompt

Configure auditing for ADFS in the ADFS Management snap-in

  1. To open ADFS Management snap-in, navigate to Programs > Administrative Tools > ADFS Management

  2. Click Actions and select Edit Federation Service Properties.

  3. In the dialog box that opens, click on the Events tab. Enable it for Success and Failure.