Analyzing ADFS IIS Logs

If you are using Active Directory Federation and you want to see what users are logging in when to what external service, you can analyze the ADFS server IIS logs. It is pretty straightforward since it is just IIS.

First, get to your ADFS box, get to the IIS log directory, usually something like “C:WindowsSystem32LogFilesW3SVC1” and grab those logs.

Install LogParser on your machine.

Now, you can write sql type queries against your logs. For ADFS logs, we don’t care so much about many of the columns, but primarily username and date, maybe the URI for filtering, maybe the referrer or the user agent to see what browsers your users are using, but to get say, unique logins per day for a given service, we just need the date, username and URI.

Remember the date is probably UTC so you need to use a function to convert, or leave as is if you want, and everything is pretty much all relative depending on how accurate you want things to be. hint: TO_TIMESTAMP(date, time) AS utc-timestamp, TO_LOCALTIME(utc-timestamp) AS local-timestamp

Now, here is the LogParser query:

logparser "SELECT DISTINCT cs-username, date INTO FROM WHERE cs-username NULL and cs-uri-query LIKE '%your service%'"

Note in the statement the output path and your log path, change to what yours are. Also, the LIKE statement. For example, to query for Microsoft Dynamics CRM Online, I used

LIKE ‘%dynamicscrm%’

Run that query, then open the .csv you exported to. Format the data as a table, pivot it by user, pivot by date. Get the unique number of days using a date diff, analyze logins per day, logins per user. Tie to Active Directory (using Power Query) to add some dimension attributes like title or department and very quickly you can analyze what users, departments etc are using your service.

Adding Computer to Windows Domain and Logging In with Domain Account over VPN

I have done this enough times, but just for documentation sake.

So, you get a cool new OS (Windows 8 Release Preview maybe?) and you repave your machine. You want to add to your domain over VPN and then login with your domain creds. Now, you must have an account that has access to add computers to the domain, of course, but this is what you do.

Why would you want to do this? Well, if you are telecommuter, it might be something you run into. If you want to redo your machine at night and not waste time during the workday, is another reason. If anything, it isn’t that complicated, but it could be confusing if you have never done it before. If you have a basic understanding of windows networking and Active Directory you should be able to get what is going on here.

1. Repave your machine!
2. Set up machine with new name
3. Install VPN, connect to your network.
4. Add your machine to your domain as you would when on the LAN network.
5. DO NOT REBOOT. I repeat, DO NOT REBOOT. Even though Windows wants you to!
6. Go to user management and add the domain user you want to login as to the local admin group.
7. Now, feel free to reboot.
8. Drink a beer.
9. When the login screen comes up, login as your local machine account that you setup when you repaved your machine.
10. Connect to VPN.
11. “Switch Account” back to login screen (VPN is still connected!)
12. Login as the domain account from step #6.
13. Profit.