Enabling Logging in ADFS

* This post applies to the Beta 2 release of ADFS and may or may not apply to the final product *

 

In ADFSv1, the logging was enabled in the UI.  You checked the checkboxes, set a log file path, and left it alone.  In fact, in the MSIT deployment, we were in the habit of running with full logging enabled all the time, letting them wrap on their own, and accepting the imperceptable performance hit because we didn’t have that much load.  The latest version of ADFS is a different beast though.  In addition to being a much richer product from a feature/functionality perspective, there is much more logging which can be enabled for an administrator to use in troubleshooting.

To enable logging, start by opening the web.config file (located in the c:\inetpub\IdentityServer\WSFederationPassive.Web directory) and scrolling towards the bottom.  You’ll see a section which looks like this:

<system.diagnostics>
  <sources>
    <!– To enable tracing on a particular component, uncomment the desired section below. Then uncomment
         the shared listener named "xml" and the Microsoft.IdentityServer.SourceSwitch in the switches element.
     –>
    <!– Federation passive related tracing
    <source name="Microsoft.IdentityServer.Shared.WSFederation" switchName="Microsoft.IdentityServer.SourceSwitch" switchType="System.Diagnostics.SourceSwitch" >
      <listeners>
        <add name="xml" />
      </listeners>
    </source> –>
  </sources>

  <!– This is the shared listener for all of the tracing.  All of the sources write to this listener.
       If you want a more fine-grained listener, one can be added to the listeners element in each source above, which
       can then output to different files if desired. After uncommenting this, put the absolute path of the trace file
       ie c:\temp\TraceData.svclog.  Be sure that the identity of the service can write to the file and directory –>
  <sharedListeners>
    <!– <add name="xml" type="System.Diagnostics.XmlWriterTraceListener" initializeData="" /> –>
  </sharedListeners>
  <switches>
    <!– Uncomment this switch to use with your trace sources.  You can add more and configure
         them per source by editing the value attribute.  For each source above, there is a switchName
         attribute that links the source to a switch in this collection.  You can use the same switch
         with every source, or you can create a different switch for source for more control if thats
         desired.
    <add name="Microsoft.IdentityServer.SourceSwitch" value="Information" />
    –>
  </switches>
  <trace autoflush="true" ></trace>
</system.diagnostics>

To enable tracing, you want to do a few things (basically following the instructions in this section):

1)  Uncomment the tracing that you’re looking for – being careful to keep the comments/instructions commented out (yeah, I’ve blown that at least twice)

2)  Uncomment the <sharedListeners> tag, and if you like, add a path to the initializeData field.  We usually use d:\logs

2a)  Make sure that the account ADFS is running under, either NETWORK SERVICE or a system account, has write access to that directory (yeah, blown that one before too)

3) Uncomment the <add name= tag, and we usually change the value to “Verbose”

At this point, you should see the log file, something like TraceData.svclog.  If you open it up in notepad.exe, you’ll find a horrendous jumble of unformatted XML which is nearly indecipherable by humans.  So I highly suggest you use a utility, such as svcTraceViewer.exe, which is available when you install Visual Studio 2008 [1], and which provides a much, MUCH better experience parsing the logs.

Good luck, and happy federating!

~B

 

 

[1]  Personally, I’m not a huge fan of needing a utility that’s only available in VS2008 to read these things, because as an IT admin I don’t normally need developer tools like Visual Studio.  I would love to post a copy of it for those that don’t have access/ability to get it from a VS2008 install, but I can’t get a definitive answer on redistribution rules, and as an MS employee I’m not risking my job over it…  I’m happy to host any comments from the readers who want to help others with utilities for reading these things.

 

Oh yeah, one more thing…  don’t leave the logging turned on all the time.  Just enable it when you need it, and then disable it.  Came back to a server a few days later to find a 1.5GB log file that was just growing and growing…

Advertisement