Safewhere*ADFS2Logging

Safewhere*ADFS2Logging User Guidelines Version: 1.0 Date: 18-06-2013 Globeteam A/S AD FS 2.0 HTTP Logging Module & Trace Logging, version 1.0 P a g e 1

Contents Introduction... 4 HTTP Logging Module... 4 AD FS 2.0 Trace Logging... 5 Installation... 6 HTTP Logging Module Installation... 6 Installer... 6 Register AD FS 2.0 Logging HttpModule... 8 Register HTTP Logging Module to Sign-In Page... 8 AD FS 2.0 Trace Logging Installation... 9 Installer... 9 Configure to Enable End to End Trace Log... 12 Register AD FS 2.0 Trace Logging... 16 Modify Local Security Policy... 16 Uninstallation... 17 HTTP Logging Module... 17 AD FS 2.0 Trace Logging... 18 Event Viewer... 20 Access to Event Viewer... 20 Examine an Event Log... 21 Setting Event Log Options... 22 Clearing the Event Logs... 23 Archiving the Event Logs... 23 Archive Log Formats... 23 Creating Log Archives in the Event Viewer Format... 23 Creating Log Archives in Other Formats... 24 Viewing Log Archives... 24 Monitor Logging Event Logs... 25 Filter Logging Event Logs... 25 Logging Event IDs... 26 Event# 300... 26 Event# 301... 26 Globeteam A/S AD FS 2.0 HTTP Logging Module & Trace Logging, version 1.0 P a g e 2

Event# 302... 26 Event# 303... 27 Event# 304... 27 Event# 307... 27 Event# 308... 27 Event# 330... 27 Event# 331... 27 Event# 332... 28 Event# 333... 28 Event# 400... 28 Event# 500... 28 Event# 501... 28 Event# 600... 28 Event# 1300... 29 Event# 1301... 29 Event# 1304... 29 Event# 1307... 29 Event# 1330... 29 Event# 1400... 29 Globeteam A/S AD FS 2.0 HTTP Logging Module & Trace Logging, version 1.0 P a g e 3

Introduction A user accesses a Relying Party (RP) which redirects to AD FS 2.0 federation service for a token. An error occurs at the federation service, which then returns an error. The user then typically contacts admin/support for help, who are faced with the following challenges: How to figure out the reason for the failure from the event log, which potentially has hundreds of events. Finding out if any of the events log the caller identity information and at the same time corresponds to the failure. Finding a way to correlate multiple event log events that may be logged for the same failure (Especially across the passive client web application and the WS-Trust STS). Finding a way to correlate multiple trace log traces for the request leading up to the failure. In the case of AD FS 2.0 deployment scenario involving a federation server proxy, finding out if the failure events can be correlated across machine boundaries between the proxy and the federation service. Fortunately, AD FS 2.0 logs detailed events and traces to help easy diagnosis of failures when faced with the above challenges. However, it is sometimes difficult to diagnose the trouble caused in the connections between parts in a federation e.g. AD FS 2.0 and Identity*Runtime. HTTP Logging Module and AD FS 2.0 Trace Logging support the monitoring and troubleshooting of the various events and traces logged for a token issuance request or response in a simple way. HTTP Logging Module The HTTP Logging Module is basically a spy application listening in on communication to and from the AD FS s Sign-In Pages. The Sign-In Pages are part of AD FS and are deployed when the AD FS 2.0 Federation Server Configuration Wizard is run. The Sign-In Pages handle both the WS-Federation passive profile and the SAML Web SSO profile. It exposes extensibility points that allow a developer to perform various customizations. The pages are located in C:\inetpub\adfs\ls and deployed under the /adfs/ls virtual directory of the Default Web site in IIS. The AD FS HTTP Logging Module is an assembly placed in the bin folder of Sign-In Pages that is called on every request that is made to ADFS. It lets you examine incoming and outgoing requests while logging and relating the auditing to the Security Event Log. Globeteam A/S AD FS 2.0 HTTP Logging Module & Trace Logging, version 1.0 P a g e 4

AD FS 2.0 Trace Logging Tracking problems in AD FS 2.0 can be really cumbersome. Sometimes, it is necessary to look at Windows Communication Foundation (WCF) and Windows Identity Foundation (WIF) trace messages to troubleshoot an issue. AD FS 2.0 makes it possible for WCF and WIF traces to be logged in the AD FS 2.0 trace log along with AD FS 2.0 traces. AD FS 2.0 Trace Logging uses a technology called E2E Tracing (for End to End tracing) to make trace loggingeasierof course, this technology is only as good as the traces that a system emits. Enabling tracing for WCF and WIF using AD FS 2.0 Trace Logging involves modifying the switchvalue attribute to Verbose in Microsoft.IdentityServer.ServiceHost.Exe.Config file. Globeteam A/S AD FS 2.0 HTTP Logging Module & Trace Logging, version 1.0 P a g e 5

Installation HTTP Logging Module Installation Installer Launch HttpLoggingModule.exe to start the HTTP Logging Module installation wizard. Page 1 is an introduction, so just immediately click the Next button to go to next page. In the Select Installation Folder page, you must specify the folder in which you want the Sign-In Pages installed. Choose the Everyone radio button, if you want other people accessing this information to have access to the application. Click the Next button until installation commences. Globeteam A/S AD FS 2.0 HTTP Logging Module & Trace Logging, version 1.0 P a g e 6

After finishing the installation, the LogConfiguration.config file and a bin folder, which contains assemblies and batch file, will be added to C:\inetpub\adfs\ls as shown below: The assemblies are located in the bin folder: Globeteam A/S AD FS 2.0 HTTP Logging Module & Trace Logging, version 1.0 P a g e 7

Register AD FS 2.0 Logging HttpModule From the Windows Explorer, open the folder C:\inetpub\adfs\ls\bin. Right-click on SecurityLogMessageFile Installer.bat and choose Run as administrator to register "AD FS 2.0 Logging HttpModule" source event, which binds the auditing event log to Security Event Log, and to reset the IIS service. Register HTTP Logging Module to Sign-In Page Open the web.config file from C:\inetpub\adfs\ls. Add these sections to web.config within the handlers. <modules> <add name="requestlogger" type="gad.logging.httpmodules.requestloggermodule, GAD.Logging.HttpModules"/> </modules> An example is here shown: Globeteam A/S AD FS 2.0 HTTP Logging Module & Trace Logging, version 1.0 P a g e 8

AD FS 2.0 Trace Logging Installation Installer Launch the ADFS2TraceLogging.exe installer to start the AD FS 2.0 Trace Logging installation wizard. Continue to step 2. Read the License Agreement and check the I have read, understand, and accepted license agreement displayed above. Type in Name and Company on the Registration Information page. Globeteam A/S AD FS 2.0 HTTP Logging Module & Trace Logging, version 1.0 P a g e 9

Specify the location of AD FS 2.0. The default location of AD FS 2.0 is C:\Program Files\Active Directory Federation Services 2.0. On the Start Installation page, click the Next button to start the installation process. Globeteam A/S AD FS 2.0 HTTP Logging Module & Trace Logging, version 1.0 P a g e 10

The installation should now have been successfully completed as shown below. After finishing the installation, a number of assemblies and configuration files will have been added to C:\Program Files\Active Directory Federation Services 2.0. Globeteam A/S AD FS 2.0 HTTP Logging Module & Trace Logging, version 1.0 P a g e 11

It is now time to configure these to finish the setup. Configure to Enable End to End Trace Log In this chapter, it will be explained how you enable the WCF and WIF trace log with AD FS 2.0 Trace Logging. You must make sure to complete all of the below steps: Open the file Microsoft.IdentityServer.Servicehost.exe.config from C:\Program Files\Active Directory Federation Services 2.0 by any text editor such as Notepad or Notepad ++. Add the following sections right above the <system.servicemodel> node <appsettings> <add key="saml-log4net-path" value="c:\program Files\Active Directory Federation Services 2.0\saml- logging.config"/> <add key="logtosecurityeventlog" value="true"/> </appsettings> Add the following section just after <appsettings> to enable System.ServiceModel diagnostics <system.servicemodel> <diagnostics> <messagelogging maxmessagestolog="30000" logentiremessage="true" logmessagesatservicelevel="true" logmalformedmessages="true" logmessagesattransportlevel="true"> </messagelogging> </diagnostics> </system.servicemodel> Add the following section inside <resources> </resources> to enable WCF trace log and WIF trace log for xml shared listener. Set switchvalue attribute to Verbose and logknownpii attribute value to True. Globeteam A/S AD FS 2.0 HTTP Logging Module & Trace Logging, version 1.0 P a g e 12

<source name="microsoft.identitymodel" switchvalue="verbose" > <listeners> <add name="xml"/> </listeners> </source> <source name="system.servicemodel" switchvalue="verbose" propagateactivity="true" logknownpii="true"> <listeners> <add name="xml"/> </listeners> </source> <source name="system.servicemodel.messagelogging" logknownpii="true"> <listeners> <add name="xml"/> </listeners> </source> Add the configuration for xml trace log listener for End to End Tracing log <sharedlisteners> <add name="xml" type="gad.adfs2.saml2protocollogging.adfs2saml2protocoltracelistener, Gad.Adfs2.Saml2ProtocolLogging" initializedata="trace.e2e"/> </sharedlisteners> Below is a complete sample of the Microsoft.IdentityServer.Servicehost.exe.config after changes: <?xml version="1.0" encoding="utf-8"?> <configuration> <configsections> <section name="microsoft.identityserver.service" type="microsoft.identityserver.service.configuration.serviceconfiguration, Microsoft.IdentityServer.Service, Version=6.1.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorarchitecture=msil" /> <section name="microsoft.identityserver" type="microsoft.identityserver.service.configuration.identityserverconfiguration, Microsoft.IdentityServer.Service, Version=6.1.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorarchitecture=msil"/> <section name="microsoft.identityserver.proxy" type="microsoft.identityserver.service.configuration.proxyconfigurationsection, Microsoft.IdentityServer.Service, Version=6.1.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorarchitecture=msil"/> </configsections> <microsoft.identityserver servicemode="server"/> <microsoft.identityserver.proxy > <host name="" httpport="80" httpsport="443" /> <proxytrust proxytrustrenewperiod="240" /> </microsoft.identityserver.proxy> <microsoft.identityserver.service> <policystore connectionstring="data Source=\\.\pipe\mssql$microsoft##ssee\sql\query;Initial Catalog=AdfsConfiguration;Integrated Security=True" Globeteam A/S AD FS 2.0 HTTP Logging Module & Trace Logging, version 1.0 P a g e 13

administrationurl="net.tcp://localhost:1500/policy" /> <trustmonitoring enabled="true" /> </microsoft.identityserver.service> <!--added--> <appsettings> <add key="saml-log4net-path" value="c:\program Files\Active Directory Federation Services 2.0\saml-logging.config"/> <add key="logtosecurityeventlog" value="true"/> </appsettings> <system.servicemodel> <!-- Enable this section to enable system.servicemodel diagnostics --> <diagnostics> <messagelogging maxmessagestolog="30000" logentiremessage="true" logmessagesatservicelevel="true" logmalformedmessages="true" logmessagesattransportlevel="true"> </messagelogging> </diagnostics> </system.servicemodel> <system.diagnostics> <sources> <!-- To enable WIF tracing, change the switchvalue below to desired trace level - Verbose, Information, Warning, Error, Critical --> <!-- Set TraceOutputOptions as comma separated value of the following; ProcessId ThreadId CallStack. Specify None to not include any of the optional data--> <!-- NOTE THAT THE CHANGES TO THIS SECTION REQUIRES SERVICE RESTART TO TAKE EFFECT --> <source name="microsoft.identitymodel" switchvalue="off"> <listeners> <add name="adfswiflistener" traceoutputoptions="processid,threadid" initializedata="wif" type="microsoft.identityserver.diagnostics.adfstracelistener,microsoft.identityserver, Version=6.1.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorarchitecture=msil" /> </listeners> </source> <!--added--> <source name="microsoft.identitymodel" switchvalue="verbose" > <listeners> <add name="xml"/> </listeners> </source> <!-- To enable WCF tracing, change the switchvalue below to desired trace level - Verbose, Information, Warning, Error, Critical and uncomment the system.servicemodel section below --> <source name="system.servicemodel" switchvalue="off" > <listeners> <add name="adfswcflistener" traceoutputoptions="processid,threadid" initializedata="wcf" type="microsoft.identityserver.diagnostics.adfstracelistener,microsoft.identityserver, Globeteam A/S AD FS 2.0 HTTP Logging Module & Trace Logging, version 1.0 P a g e 14

Version=6.1.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorarchitecture=msil" /> </listeners> </source> <source name="system.servicemodel.messagelogging" switchvalue="off" > <listeners> <add name="adfswcflistener" traceoutputoptions="processid,threadid" initializedata="wcf" type="microsoft.identityserver.diagnostics.adfstracelistener,microsoft.identityserver, Version=6.1.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorarchitecture=msil" /> </listeners> </source> <!--added--> <source name="microsoft.identitymodel" switchvalue="verbose" > <listeners> <add name="xml"/> </listeners> </source> <source name="system.servicemodel" switchvalue="verbose" propagateactivity="true" logknownpii="true"> <listeners> <add name="xml"/> </listeners> </source> <source name="system.servicemodel.messagelogging" logknownpii="true"> <listeners> <add name="xml"/> </listeners> </source> </sources> <!--added--> <sharedlisteners> <add name="xml" type="gad.adfs2.saml2protocollogging.adfs2saml2protocoltracelistener, Gad.Adfs2.Saml2ProtocolLogging" initializedata="trace.e2e"/> </sharedlisteners> <trace autoflush="true" ></trace> </system.diagnostics> <runtime> <gcserver enabled="true"/> </runtime> </configuration> Globeteam A/S AD FS 2.0 HTTP Logging Module & Trace Logging, version 1.0 P a g e 15

Register AD FS 2.0 Trace Logging This chapter will show how to make the AD FS 2.0 Trace Logging module bind the trace log to the Security Event Log. Simply complete the following steps: From the Windows Explorer, open the folder C:\Program Files\Active Directory Federation Services 2.0. Right-click on SecurityLogMessageFile Installer.bat and choose Run as administrator to register "AD FS 2.0 Trace Logging source event, which binds the auditing event log to Security Event Log, and to reset the AD FS service. Modify Local Security Policy From Start menu, point to Administrator Tools and choose Local Security Policy to open console. Expand the Local Policies>Audit Policy below the Security Settings. Open Audit object access s Properties dialog. In the opened dialog, ensure Success and Failure checkboxes are checked. Click Ok button to close the dialog to confirm the modification. Globeteam A/S AD FS 2.0 HTTP Logging Module & Trace Logging, version 1.0 P a g e 16

Uninstallation HTTP Logging Module From the Start menu, open Programs and expand the Http Logging Module group where the Uninstall Http Logging Module action is available. In the Maintenance Mode page, choose Repair radio button for re-installing or choose Remove radio button for uninstalling the HTTP Logging Module. When you uninstall the HTTP Logging Module, to ensure all things are removed completely from your server, do as follows: Remove the added sections from C:\inetpub\afds\ls\web.config in the chapter Register HTTP Logging Module to Sign-In Page. From the Start menu, point to Run and type iisreset then push Enter key to reset the IIS service. Globeteam A/S AD FS 2.0 HTTP Logging Module & Trace Logging, version 1.0 P a g e 17

AD FS 2.0 Trace Logging Open the AD FS 2.0 Trace Logging group from the Start menu and click the Uninstall Trace Logging Module for AD FS 2.0 action. In the Maintenance Mode page, choose Repair radio button for re-installing or choose Remove radio button for uninstalling the AD FS 2.0 Trace Logging. To ensure that the AD FS 2.0 Trace Module is removed completely from your server, you must carry out the following steps: Remove the added sections in file Microsoft.IdentityServer.ServiceHost.Exe.Config from the chapter Configure to Enable End to End Trace Log. Globeteam A/S AD FS 2.0 HTTP Logging Module & Trace Logging, version 1.0 P a g e 18

From the Start menu, point to Run and type cmd then push Enter key to open Command Console. o Type net stop adfssrv to stop the AD FS 2. 0 service. o Then type net start adfssrv to restart the AD FS 2.0 service again. Globeteam A/S AD FS 2.0 HTTP Logging Module & Trace Logging, version 1.0 P a g e 19

Event Viewer The Event Viewer keeps a running log of information, alerts and warnings regarding your computer system and the programs and services running on it. In the following chapter we will introduce how it works, since this is necessary to understand how to analyze the information from the HTTP Logging and Trace Logging applications. If you are already well acquainted with the Event Viewer please continue to the Monitor Logging Event Logs chapter. The Event Viewer provides historical information that can help you track down system and security problems. The event-logging service controls whether events are tracked on Windows 2000 systems. When this service is started, you can track user actions and system resource usage events with the following event logs: Application: Events are classified as error, warning, or information, depending on the severity of the event. An error is a significant problem, such as loss of data. A warning is an event that isn't necessarily significant, but might indicate a possible future problem. An information event describes the successful operation of a program, driver, or service. Security: These events are called audits and are described as successful or failed depending on the event, such as whether a user trying to log on to Windows was successful. Setup: Computers that are configured as domain controllers will have additional logs displayed here. System: System events are logged by Windows and Windows system services, and are classified as error, warning, or information. Forwarded Events: These events are forwarded to this log by other computers. Note: Any user who needs access to the security log must be granted the user right to Manage Auditing and the Security Log. By default, members of the Administrators group have this user right. Access to Event Viewer You access the event logs by completing the following steps: 1. In the Computer Management console, connect to the computer whose event logs you want to view or manage. 2. Expand the System Tools node by clicking the plus sign (+) next to it and then double-click Event Viewer. You should now see a list of logs as bellows. 3. Select the log you want to view. Globeteam A/S AD FS 2.0 HTTP Logging Module & Trace Logging, version 1.0 P a g e 20

Examine an Event Log Entries in the main panel of Event Viewer provide a quick overview of when, where, and how an event occurred. To obtain detailed information on an event, double-click its entry. The event type precedes the date and time of the event. Event types include: Information: an informational event which is generally related to a successful action. Success: audit an event related to the successful execution of an action. Failure: audit an event related to the failed execution of an action. Warning: a warning. Details for warnings are often useful in preventing future system problems. Error: an error, such as the failure of a service to start. Note: Warnings and errors are the two types of events that you'll want to examine closely. Whenever these types of events occur and you're unsure of the cause, double-click the entry to view the detailed event description. In addition to type, date, and time, the summary and detailed event entries provide the following information: Source: the application, service, or component that logged the event. Category: the category of the event, which is sometimes used to further describe the related action. Event: an identifier for the specific event. User: the user account that was logged on when the event occurred. Computer: the name of the computer where the event occurred. Description: in the detailed entries, a text description of the event. Data: in the detailed entries, any data or error code output by the event. Globeteam A/S AD FS 2.0 HTTP Logging Module & Trace Logging, version 1.0 P a g e 21

Setting Event Log Options Log options allow you to control the size of the event logs as well as how logging is handled. By default, based on the specific event logs, the maximum file size is 20,480 KB for Application, Security and System, is 1,028 KB for Setup. Then, when a log reaches this limit, by default, the oldest events will be overwritten to prevent the log from exceeding the maximum file size; or, the event logs will be archived or not overwritten according to your change in log options. To set the log options, complete the following steps: In the Computer Management console, double-click the Event Viewer entry. You should now see a list of event logs. Right-click the event log in the left pane of console whose properties you want to set and select Properties from the shortcut menu. This opens the dialog box shown as bellows. Change the setting as bellows instruction. Click OK button when you're finished. You can change those settings on event properties dialog: Log path: the place the log file located. Maximum log size (in KB): the maximum size in Kb that the log file can reach. The way to do when log size is reached: o Overwrite Events As Needed: when the maximum file size is reached, the oldest event will be overwritten firstly. Generally, this is the best option on a low priority system. o Archive the log when full, do not overwrite events: when the maximum file size is reached, the old events will be moved to archive log file. o Do Not Overwrite Events (Clear Log Manually): when the maximum file size is reached, the system generates error messages telling you the event log is full. Globeteam A/S AD FS 2.0 HTTP Logging Module & Trace Logging, version 1.0 P a g e 22

Clearing the Event Logs When an event log is full, you need to clear it. To do that, complete the following steps: In the Computer Management console, double-click the Event Viewer entry. You should now see a list of event logs. Right-click the event log whose properties you want to set and select Clear All Events from the shortcut menu. Choose Yes to save the log before clearing it. Choose No to continue without saving the log file. Archiving the Event Logs On domain controllers or application servers, you will want to keep several months worth of logs. However, it usually is not practical to set the maximum log size to accommodate this. Instead, you should periodically archive the event logs. Archive Log Formats Logs can be archived in three formats: Event log format for access in Event Viewer Tab-delimited text format, for access in text editors or word processors or import into spreadsheets and databases Comma-delimited text format, for import into spreadsheets or databases Creating Log Archives in the Event Viewer Format To create a log archive in the Event Viewer file format, complete the following steps: In the Computer Management console, double-click the Event Viewer entry. You should now see a list of event logs. Right-click the event log you want to archive and select Save Log File As from the shortcut menu. In the Save As dialog box, select a directory and a log filename. In the Save As Type dialog box, Event Log (*.evt) will be the default file type. Choose Save. Note: If you plan to archive logs regularly, you may want to create an archive directory. This way you can easily locate the log archives. You should also name the log file so that you can easily determine the log file type and the period of the archive. For example, if you're archiving the system log file for January 2000, you may want to use the filename System Log Jan. 2000. Globeteam A/S AD FS 2.0 HTTP Logging Module & Trace Logging, version 1.0 P a g e 23

Creating Log Archives in Other Formats To create a tab- or comma-delimited log archive, follow these steps: In the Computer Management console, double-click on the Event Viewer entry. You should now see a list of event logs. Right-click on the event log you want to archive and select Save Log File As from the shortcut menu. In the Save As dialog box, select a directory and a log filename. Using the Save As Type drop-down list box select the Text or CSV log file format. Choose Save. Viewing Log Archives You can view log archives in text format in any text editor or word processor. You should view log archives in the event log format in Event Viewer. You can view log archives in Event Viewer by completing the following steps: In the Computer Management console, right-click the Event Viewer entry. On the shortcut menu, select Open Saved Log Select a directory and a log filename. Choose the log file type and then enter a display name for the log. Enter a display name for the log file. Click Open. The archived log is displayed as a separate view in Event Viewer. Select this view to display the saved events in the log. Globeteam A/S AD FS 2.0 HTTP Logging Module & Trace Logging, version 1.0 P a g e 24

Monitor Logging Event Logs Filter Logging Event Logs HTTP Logging Module and AD FS 2.0 Trace Logging will create all event logs in the Security log. To view all the event logs created from HTTP Logging Module and/or AD FS 2.0 Trace Logging, you must complete the following steps: In the Computer Management console, double-click on the Event Viewer entry. You should now see a list of event logs. Right-click on the Security log and select Filter Current Log to open the filter dialog. On the Filter Current Log dialog, you must specify: o Logged: the period time of the event log. o Event level: the type of log such as Critical, Warning, Errors o Event sources: choose AD FS 2.0 Logging Http Module or AD FS 2.0 Trace Logging or both o Event ID: the Event ID that you want to filter. o Key words: the key words for filter o User: the user ID in connection. o Computer(s): the computer(s) connects to the AD FS 2.0 server. The view of Security Event Log with the filter will be: Globeteam A/S AD FS 2.0 HTTP Logging Module & Trace Logging, version 1.0 P a g e 25

Logging Event IDs HTTP Logging Module and Trace Logging support several Event IDs for logging. The following overview will describe the different events that can be registered. Event# 300 Description: Logs for the initial request of SAML2 sign in. Event# 301 Description: Logs when user selects identify provider for sign-in. Event# 302 Description: Login selection request. This is not in use yet. Globeteam A/S AD FS 2.0 HTTP Logging Module & Trace Logging, version 1.0 P a g e 26

Event# 303 Description: Logs for the initial response of SAML2 sign in. Event# 304 Description: Login authentication information. Event# 307 Description: Login final request. Event# 308 Description: Login final response. Event# 330 Type: Logout Description: Logout initial request. Event# 331 Type: Logout Description: Logout initial response. Globeteam A/S AD FS 2.0 HTTP Logging Module & Trace Logging, version 1.0 P a g e 27

Event# 332 Type: Logout Description: Logout final request. Event# 333 Type: Logout Description: Logout final response. Event# 400 Description: Login authentication user information. Event# 500 Description: Login final request claims. Event# 501 Description: Login final response claims. Event# 600 Description: Login final request signature. Globeteam A/S AD FS 2.0 HTTP Logging Module & Trace Logging, version 1.0 P a g e 28

Event# 1300 Connection: WS Federation Description: Login initial request WS Federation. Event# 1301 Connection: WS Federation Description: Login selection of Identity Provider with WS Federation. Event# 1304 Connection: WS Federation Description: Login authentication information. Event# 1307 Connection: WS Federation Description: Login final request. Event# 1330 Connection: WS Federation Type: Logout Description: Logout initial request. Event# 1400 Connection: WS Federation Description: Login authentication user information. Globeteam A/S AD FS 2.0 HTTP Logging Module & Trace Logging, version 1.0 P a g e 29