Event ID 126 — Windows NT Token-Based Application Auditing

Applies To: Windows Server 2008

Audit events are written to the audit log during the auditing process. The Windows token-based agent records Success and Failure audits, such as the state of the AD FS Web Agent Authentication Service.

Event Details

Product: Windows Operating System
ID: 126
Source: Microsoft-Windows-ADFS
Version: 6.0
Symbolic Name: SSO_REGISTER_AUDIT_FAILURE
Message: The AD FS Web Agent Authentication Service was not able to start. A failure was encountered when registering as an event source.

Users will not be able to access protected resources until the authentication service can be restarted.

Additional Data
The data field contains a Win32 error code.

Resolve

Grant the AD FS Authentication Service the Generate Security Audits privilege

Active Directory Federation Services (AD FS) components that write audits must be configured to run as LocalSystem, NetworkService, or a domain principal account that has been granted the Generate Security Audits privilege (SeAuditPrivilege) explicitly.

Either grant the AD FS Authentication Service principal account the Generate Security Audits privilege in Local Security Policy or configure the authentication service to run as a domain principal that has already been granted the Generate Security Audits privilege. For example, configure the authentication service to run as LocalSystem.

To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

To configure the AD FS Web Agent Authentication Service to run as LocalSystem, NetworkService, or a custom domain principal account:

  1. On the AD FS-enabled Web server, click Start, point to Administrative Tools, and then click Services.
  2. Right-click AD FS Web Agent Authentication Service, and then click Properties.
  3. On the Log On tab, do one of the following, depending on the type of account that you want to assign, and then click OK:
    • Click Local System account.
    • Click This account, and then type a domain principal account name and password for an account that has been granted the Generate Security Audits privilege.

Verify

Verify that the principal account specified in the properties of the AD FS Authentication Service has been granted the Generate Security Audits privilege in Local Security Policy.

To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

To verify that the Generate Security Audits privilege has been granted to the principal account specified in the AD FS Authentication Service:

  1. On the AD FS-enabled Web server, click Start, point to Administrative Tools, and then click Services.
  2. Right-click AD FS Web Agent Authentication Service, and then click Properties. Record the name of the account that is used as the principal account before you start the Local Security Policy snap-in.
  3. After you identify this account, click Start, point to Administrative Tools, click Local Security Policy, and then double-click Local Policies.
  4. Double-click User Rights Assignment.
  5. In the details pane, right-click Generate Security Audits, and then click Properties.
  6. Verify that the principal account you recorded is present in the list.

Windows NT Token-Based Application Auditing

Active Directory Federation Services