jannep 1.16K Rep.

Has anyone found a way or a MP to monitor ADFS logins via SCOM?

I want to make sure that users can correctly authenticate via ADFS.

The ADFS MP just checks that the service itself is up. And I can check that the login page looks ok. But what about doing a login?

ADFS does not use windows authentication so I cant use the built in methods of authentication for that site.

jannep answered
    • Does ADSF log anything in the event log? If so, you can create an event collection rule that alerts when failed logins are detected. This guide is pretty comprehensive and should give you the info you need: http://overcast.azurewebsites.net/2013/04/creating-rules-to-monitor-security-logs-with-scom-2012-sp1/
    • Looks as though it does: http://c7solutions.com/2015/12/checking-for-login-issues-with-ad-fs-and-office-365
    • Guide to enable troubleshooting configuration for ADFS: https://technet.microsoft.com/en-us/library/cc738766(v=ws.10).aspx
    • You could also create a task in SCOM, that uses the script in this article, which you could then pull into a SQUP dashboard - Either as data on demand, or via an action/task button, for full end to end detection and troubleshooting: https://blogs.technet.microsoft.com/tspring/2016/02/17/easy-parsing-of-adfs-security-audit-events/
    • That was good links but not exactly what I was looking for. We have probably >50.000 ADFS logins per day and a lot of them goes wrong due to wrong passwords. So monitoring the logs wont help that much. I need to do a correct login with a test account and verify that the login works and alert if it does not.
    • Ah, okay. That makes life a little easier. You'll need to create a synthetic transaction in SCOM. This will essentially test the login process at a regular interval. This is called a Web Application Transaction monitor: https://technet.microsoft.com/en-us/library/hh457597(v=sc.12).aspx
    • I´m afraid that it wont work that way. That monitor requires windows authentication that ADFS does not use.