若要在 Windows Server 2016 AD FS 稽核美化效果Auditing Enhancements to AD FS in Windows Server 2016

適用於:Windows Server 2016Applies To: Windows Server 2016

目前,在 AD FS 適用於 Windows Server 2012 R2 的許多稽核事件單一要求和的相關資訊的登入或權杖發行活動是缺少 (在某些 AD FS 版本) 或讓跨多個稽核事件。Currently, in AD FS for Windows Server 2012 R2 there are numerous audit events generated for a single request and the relevant information about a log-in or token issuance activity is either absent (in some versions of AD FS) or spread across multiple audit events. AD FS 預設稽核事件是因為其詳細資訊的性質被關閉。By default the AD FS audit events are turned off due to their verbose nature.
在 Windows Server 2016 AD FS 發行,稽核已變更有效率且較低的詳細資訊。With the release of AD FS in Windows Server 2016, auditing has become more streamlined and less verbose.

稽核 AD FS 適用於 Windows Server 2016 中的層級Auditing levels in AD FS for Windows Server 2016

根據預設,Windows Server 2016 中的 AD FS 有基本稽核功能。By default, AD FS in Windows Server 2016 has basic auditing enabled. 基本稽核時,系統管理員將會看到的單一要求 5 或較少的活動。With basic auditing, administrators will see 5 or less events for a single request. 這表示減少重要的系統管理員可以查看,以查看單一要求的事件數目。This marks a significant decrease in the number of events administrators have to look at, in order to see a single request. 稽核等級可提高或降低使用 PowerShell cmdlt: AdfsProperties 設定-AuditLevel。The auditing level can be raised or lowered using the PowerShell cmdlt: Set-AdfsProperties -AuditLevel. 下表解釋可稽核的層級。The table below explains the available auditing levels.

稽核層級Audit Level PowerShell 語法PowerShell syntax 描述Description
None 設定 AdfsProperties-AuditLevel 無Set-AdfsProperties - AuditLevel None 稽核已停用,並將會登入不事件。Auditing is disabled and no events will be logged.
基本 (預設值)Basic (Default) 設定 AdfsProperties-AuditLevel BasicSet-AdfsProperties - AuditLevel Basic 不會超過 5 事件將會登入的單一要求No more than 5 events will be logged for a single request
詳細資訊Verbose 設定 AdfsProperties-AuditLevel 詳細資訊Set-AdfsProperties - AuditLevel Verbose 事件所有將會登入。All events will be logged. 這將會登入大量的每個要求的資訊。This will log a significant amount of information per request.

若要檢視目前稽核等級,您可以使用 PowerShell cmdlt: 取得-AdfsProperties。To view the current auditing level, you can use the PowerShell cmdlt: Get-AdfsProperties.

稽核美化效果

稽核等級可提高或降低使用 PowerShell cmdlt: AdfsProperties 設定-AuditLevel。The auditing level can be raised or lowered using the PowerShell cmdlt: Set-AdfsProperties -AuditLevel.

稽核美化效果

稽核事件類型Types of Audit Events

AD FS 稽核事件可以種不同類型,根據不同類型的處理 AD FS 的要求。AD FS Audit Events can be of different types, based on the different types of requests processed by AD FS. 稽核事件每一種有特定與其相關聯的資料。Each type of Audit Event has specific data associated with it. 稽核事件類型與系統要求 (包括擷取組態資訊伺服器通話) 可區分之間登入要求 (亦即權杖要求)。The type of audit events can be differentiated between login requests (i.e. token requests) versus system requests (server-server calls including fetching configuration information).
下表描述基本稽核活動的類型。The table below describes the basic types of audit events.

稽核事件類型Audit Event Type 事件編號Event ID 描述Description
全新 Credential 驗證成功Fresh Credential Validation Success 12021202 要求位置新的驗證憑證成功同盟服務。A request where fresh credentials are validated successfully by the Federation Service. 這包括 Ws-trust,WS 聯盟 SAML-P (產生 SSO 第一側邊) 和 OAuth 授權端點。This includes WS-Trust, WS-Federation, SAML-P (first leg to generate SSO) and OAuth Authorize Endpoints.
全新的認證驗證錯誤Fresh Credential Validation Error 12031203 要求同盟服務全新 credential 驗證失敗的位置。A request where fresh credential validation failed on the Federation Service. 這包括 Ws-trust,WS-Fed、 SAML-P (產生 SSO 第一側邊) 和 OAuth 授權端點。This includes WS-Trust, WS-Fed, SAML-P (first leg to generate SSO) and OAuth Authorize Endpoints.
應用程式權杖成功Application Token Success 12001200 要求的安全性權杖成功發出同盟服務。A request where a security token is issued successfully by the Federation Service. 適用於 WS-同盟,這登入,要求處理 SSO 成品使用時 SAML P。For WS-Federation, SAML-P this is logged when the request is processed with the SSO artifact. (例如 SSO cookie)。(such as the SSO cookie).
應用程式權杖失敗Application Token Failure 12011201 要求同盟服務的安全性權杖發行失敗位置。A request where security token issuance failed on the Federation Service. 適用於 WS-同盟,這登入時使用的 SSO 成品處理要求 SAML P。For WS-Federation, SAML-P this is logged when the request was processed with the SSO artifact. (例如 SSO cookie)。(such as the SSO cookie).
密碼變更要求成功Password Change Request Success 12041204 變更密碼要求交易已成功處理同盟服務。A transaction where the password change request was successfully processed by the Federation Service.
密碼變更要求錯誤Password Change Request Error 12051205 變更密碼要求交易無法處理同盟服務。A transaction where the password change request failed to be processed by the Federation Service.
系統System - 這是系統要求的描述。Describes that this was a system request. 例如,這些都是 ADFS 伺服器要求 proxy STS 要求。For example, these are ADFS server to server request, proxy to STS requests.
探索Discovery - 要求聯盟中繼資料或 MEX 結束點。A request to Federation metadata or MEX End Points.
查看成功登入Sign Out Success 12061206 告訴您成功 sign-out 要求。Describes a successful sign-out request.
登出失敗Sign Out Failure 12071207 請描述 sign-out 要求失敗。Describes a failed sign-out request.
裝置登記Device Registration - 裝置登記服務要求。Request for device registration service.
資源Resource - 這包括要求的資源,例如 java-指令碼映像。This includes requests for resources such as java-script, images.
設定Configuration - 這系統描述設定要求。This describes a configuration request into the system. 重要的系統管理員 」,以了解變更管理商務重大要求。Important for admins to understand change management on a business critical request.