Has anyone found a way or a MP to monitor ADFS logins via SCOM?
I want to make sure that users can correctly authenticate via ADFS.
The ADFS MP just checks that the service itself is up. And I can check that the login page looks ok. But what about doing a login?
ADFS does not use windows authentication so I cant use the built in methods of authentication for that site.
This might be completely wide of the mark, but we use ADFS to authenticate our logins to Office365/SharePoint. We had problems trying to use synthetic transactions, as it is out to a web application, using adfs.
In the end, we are looking at Office365mon, a 3rd party company. We can install probes on our on-premise servers which test the logins to office365 sharepoint. By extension, this also checks that ADFS is functional as, without it, the probes could not connect to the sharepoint sites.
Another way around this which you could try is to use System Centre Orchestrator to attempt the login and then get it to raise a SCOM alert on the failure. A runbook will just need to be created for this to work, and once created you can set to run on a set time frame.
This seems like it would suit your needs, and be the answer to your question. It would just require a bit of time to set-up.
I haven’t done this personally; however I do use SCOM and SCOR together for some self healing tasks albeit basic ones
Does ADSF log anything in the event log? If so, you can create an event collection rule that alerts when failed logins are detected.
This guide is pretty comprehensive and should give you the info you need:
You could also create a task in SCOM, that uses the script in this article, which you could then pull into a SQUP dashboard - Either as data on demand, or via an action/task button, for full end to end detection and troubleshooting: https://blogs.technet.microsoft.com/tspring/2016/02/17/easy-parsing-of-adfs-security-audit-events/
That was good links but not exactly what I was looking for. We have probably >50.000 ADFS logins per day and a lot of them goes wrong due to wrong passwords. So monitoring the logs wont help that much. I need to do a correct login with a test account and verify that the login works and alert if it does not.
Ah, okay. That makes life a little easier. You’ll need to create a synthetic transaction in SCOM. This will essentially test the login process at a regular interval.
This is called a Web Application Transaction monitor:
I´m afraid that it wont work that way. That monitor requires windows authentication that ADFS does not use.
That was a good tip. But we would prefer something integrated with our onprem SCOM.
Thanks for the tip. We are using SMA right now so it could be a solution.
Let me know how you get on with it