Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
SOLVED

Auditing of AD FS events

Brass Contributor

I've tried to install the newest MDI sensor on one of my AD FS servers but under the installation if reports that auditing is not configured correctly - see attached image.

 

It's possible to click Next and proceed with the installation.

 

I've verified that the auditing is in place and configured according to the guide. I can even see the audit events in the security log.

 

What am I missing here?

 

Just for your information, then the service wont start after the installation - I'll start another discussion about that issue :)

12 Replies

@bjarneabraham 
Can  you run on this machine from powershell this command and share the full output?

(Get-AdfsProperties).LogLevel

 

best response confirmed by bjarneabraham (Brass Contributor)
Solution

@bjarneabraham 

Hi,

Just got another similar case,  that was resolved by running the setup elevated.

Can you try that and let me know if the warning is gone ?

@Eli Ofek running the installation elevated solved the issue. Then it doesn't raise an alert about issue regarding auditing on the ADFS server. Thanks.

@bjarneabraham It was a success on one of the AD FS servers but not on the others :(

 

I've checked the audit level and requirements and they are exact the same.

 

Any good ideas? :)

@bjarneabraham 
Can you share the output of

(Get-AdfsProperties).LogLevel

from the working and non working server? 

PS C:\Windows\system32> (Get-AdfsProperties).LogLevel
Errors
FailureAudits
Information
Verbose
SuccessAudits
Warnings

It's only possible to execute the command on the primary AD FS node as it's a farm setting.

@bjarneabraham 

In this case the non working machine is not a primary ?

Can you share the output of this command when running on the non primary machine (even if it returns an error) ?

PS C:\Windows\system32> (Get-AdfsProperties).LogLevel
Get-AdfsProperties : PS0033: This cmdlet cannot be executed from a secondary server in a local database farm. The prim
ary server is presently: server.domain.tld. To execute management cmdlets, either log onto the primary server or conn
ect using PowerShell remoting. For more information see http://go.microsoft.com/fwlink/?LinkId=294129.
At line:1 char:2
+ (Get-AdfsProperties).LogLevel
+ ~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OpenError: (:) [Get-AdfsProperties], InvalidOperationException
+ FullyQualifiedErrorId : PS0033,Microsoft.IdentityServer.Management.Commands.GetServicePropertiesCommand

@bjarneabraham 
Thanks! I will open a bug for it.

You can ignore the warning during setup for now, it will work fine.

Great, hereby installed and working :)

@Eli Ofek FYI running setup elevated solved the issue for us too.

Would be nice to either see docs updated or the install file changed.

@RNalivaika 

The docs actually says that already:

https://docs.microsoft.com/en-us/defender-for-identity/install-step4

 

"Run Azure ATP sensor setup.exe with elevated privileges (Run as administrator) and follow the setup wizard."

 

As for changing the exe to auto prompt a UAC dialog, there is currently a technical limitation preventing us from doing so due to the installer infra we use that intentionally block it, but we are working on it to work like that. it will take some time though, as it is going to be incorporated with some other features that will make the deployment a breeze. stay tuned on this topic.... 

1 best response

Accepted Solutions
best response confirmed by bjarneabraham (Brass Contributor)
Solution

@bjarneabraham 

Hi,

Just got another similar case,  that was resolved by running the setup elevated.

Can you try that and let me know if the warning is gone ?

View solution in original post