Troubleshooting AD FS
AD FS has a lot of moving pieces, touches many different things and has many different dependencies. Naturally, this can give rise to various issues. This document is designed to get you started on troubleshooting these issues. This document will introduce you to the typical areas that you should focus on, how to enable features for additional information, and various tools that can be used to track down problems.
For additional information see ADFS Help which provides effective tools in one place that makes it easier for users and administrators to resolve authentication issues at a quicker pace.
What to Check First
Before you dive into in-depth troubleshooting, there are a few things that you should check first. They are:
- DNS Configuration - can you resolve the name of the federation service? This should resolve to either the load balancer's IP address or the IP address of one of the AD FS servers in your farm. For more information see AD FS Troubleshooting - DNS.
- AD FS Endpoints - can you browse to the AD FS endpoints? By browsing to this you can determine whether or not your AD FS web server is responding to requests. If you can get to this file, then you know that AD FS is servicing requests over 443 just fine. For more information see AD FS Troubleshooting - Endpoints.
- Idp-Initiated Sign On - can you log in and authenticate via the Idp-Initiated Sign On page? You need to ensure that this page was enabled because it is disabled by default. Use
Set-AdfsProperties -EnableIdPInitiatedSignOn $trueto enable the page. If you can sign in and authenticate then you know that AD FS is working in this area. For more information see AD FS Troubleshooting - SignOn.
Common Troubleshooting Areas
|Event Logging and Auditing||Use the Windows Event Logs to view high level and low level information via the Admin and Trace logs. It can also be used to view security auditing.|
|SQL Connectivity||Information on testing the connectivity between your AD FS servers and the backend SQL databases|
|Claims Issuance||Information on determining whether AD FS is issuing claims correctly.|
|Loop Detection||Information on determining and preventing users from being bounced back and forth between the Idp and an RP.|
|Certificates||Typcial certificate issues that can arise|
|Fiddler||Information on how to install and using Fiddler|
|WS-Federation with Fiddler||Detailed Fiddler trace of a WS-Federation interaction|
|Claim Rules||Information on troubleshooting claim rules and their syntax|
|Integrated Windows Authentication||Information on troubleshooting integrated authentication.|
|Azure AD||Information on troubleshooting AD FS interaction with Azure AD.|
|AD FS Diagnostics Analyzer||AD FS Help Diagnostics Analyzer can help perform basic AD FS checks using the diagnostics PowerShell module.|