BPuhl’s Blog

A little bit of everything without actually being much of anything

Enabling Logging in ADFS

Posted by BPuhl on August 6, 2009

* This post applies to the Beta 2 release of ADFS and may or may not apply to the final product *


In ADFSv1, the logging was enabled in the UI.  You checked the checkboxes, set a log file path, and left it alone.  In fact, in the MSIT deployment, we were in the habit of running with full logging enabled all the time, letting them wrap on their own, and accepting the imperceptable performance hit because we didn’t have that much load.  The latest version of ADFS is a different beast though.  In addition to being a much richer product from a feature/functionality perspective, there is much more logging which can be enabled for an administrator to use in troubleshooting.

To enable logging, start by opening the web.config file (located in the c:\inetpub\IdentityServer\WSFederationPassive.Web directory) and scrolling towards the bottom.  You’ll see a section which looks like this:

    <!– To enable tracing on a particular component, uncomment the desired section below. Then uncomment
         the shared listener named "xml" and the Microsoft.IdentityServer.SourceSwitch in the switches element.
    <!– Federation passive related tracing
    <source name="Microsoft.IdentityServer.Shared.WSFederation" switchName="Microsoft.IdentityServer.SourceSwitch" switchType="System.Diagnostics.SourceSwitch" >
        <add name="xml" />
    </source> –>

  <!– This is the shared listener for all of the tracing.  All of the sources write to this listener.
       If you want a more fine-grained listener, one can be added to the listeners element in each source above, which
       can then output to different files if desired. After uncommenting this, put the absolute path of the trace file
       ie c:\temp\TraceData.svclog.  Be sure that the identity of the service can write to the file and directory –>
    <!– <add name="xml" type="System.Diagnostics.XmlWriterTraceListener" initializeData="" /> –>
    <!– Uncomment this switch to use with your trace sources.  You can add more and configure
         them per source by editing the value attribute.  For each source above, there is a switchName
         attribute that links the source to a switch in this collection.  You can use the same switch
         with every source, or you can create a different switch for source for more control if thats
    <add name="Microsoft.IdentityServer.SourceSwitch" value="Information" />
  <trace autoflush="true" ></trace>

To enable tracing, you want to do a few things (basically following the instructions in this section):

1)  Uncomment the tracing that you’re looking for – being careful to keep the comments/instructions commented out (yeah, I’ve blown that at least twice)

2)  Uncomment the <sharedListeners> tag, and if you like, add a path to the initializeData field.  We usually use d:\logs

2a)  Make sure that the account ADFS is running under, either NETWORK SERVICE or a system account, has write access to that directory (yeah, blown that one before too)

3) Uncomment the <add name= tag, and we usually change the value to “Verbose”

At this point, you should see the log file, something like TraceData.svclog.  If you open it up in notepad.exe, you’ll find a horrendous jumble of unformatted XML which is nearly indecipherable by humans.  So I highly suggest you use a utility, such as svcTraceViewer.exe, which is available when you install Visual Studio 2008 [1], and which provides a much, MUCH better experience parsing the logs.

Good luck, and happy federating!




[1]  Personally, I’m not a huge fan of needing a utility that’s only available in VS2008 to read these things, because as an IT admin I don’t normally need developer tools like Visual Studio.  I would love to post a copy of it for those that don’t have access/ability to get it from a VS2008 install, but I can’t get a definitive answer on redistribution rules, and as an MS employee I’m not risking my job over it…  I’m happy to host any comments from the readers who want to help others with utilities for reading these things.


Oh yeah, one more thing…  don’t leave the logging turned on all the time.  Just enable it when you need it, and then disable it.  Came back to a server a few days later to find a 1.5GB log file that was just growing and growing…

About these ads

3 Responses to “Enabling Logging in ADFS”

  1. Laura said

    Actually it looks like svcTraceViewer.exe installs with the .NET Framework 3.5 SDK (http://www.microsoft.com/downloads/details.aspx?FamilyID=e6e1c3df-a74f-4207-8586-711ebe331cdc&DisplayLang=en). Still requires you to install a “dev-ish” thing, but at least it’s not the full-blown VS install (with associated cost). In fact svcTraceViewer doesn’t install at -all- with the VS Express Editions unless you go and manually install the SDK in addition to.

    If you want to reduce the disk footprint when installing the SDK, just install the Windows Headers and Windows Development Tools and skip the samples and the docs – takes it from like a 3G install to a 300MB install.

    One would still argue that it’s overkill to do a 300MB install to get one diag utility, but I haven’t tried just yoinking that single .exe off elsewhere to see if it’ll run standalone.

  2. Just use a different trace listener and the whole SvcTraceViewer thing’s moot:

    • Grr! XML got snipped. If WP doesn’t let this encoded stuff through, see http://msdn.microsoft.com/en-us/library/system.diagnostics.presentationtracesources.aspx.

      <source name="System.Windows.Media.Animation"
      switchName="SourceSwitch" >
      <add name="textListener" />
      <add name="SourceSwitch" value="All" />
      <add name="textListener"
      initializeData="Debug.txt" />
      <trace autoflush="true" indentsize="4"></trace>

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

%d bloggers like this: