This post will look at how you can view login errors in AD FS, trace them back to the Event Viewer on your AD FS server(s) and then help the user login correctly.
Unlike earlier versions of ADFS it is not required to enabled config files and registry keys to turn on additional logging. All login failures (not successes) are reported to the AD FS log in the Event Viewer on the AD FS Server. If you have more than one server either always check all servers or setup log file synchronization to another server.
To view the AD FS log file in Event Viewer navigate to Applications and Services Logs > AD FS > Admin – errors on that box are shown here. If you have a correlation Activity ID (see below) you can find that here and track errors back to the entry in the logs.
Applications and Services Logs Further errors (problems with system, more detailed debugging errors) can also be recorded. Click Applications and Services Logs in Event Viewer then right-click and choose View > Show Analytic and Debug Logs. Note to see View you need to click on Applications and Services Logs and not just right-click it.
Once Analytic and Debug Logs are visible you can find the AD FS Debug log. This is under Applications and Services Logs > AD FS Tracing > Debug.
You need to right-click this log file and choose Enable Log. Then get the user to repeat the issue. It will be logged in great detail here. Once user finished, disable logging and save file. You can search the file once it is saved. It is possible to search the file during log collection, but you can only search one page of data at a time and the pages are both small and generated quite quickly – so save the log file before searching it.
An example of some of the data that can be read in the debug log is shown below. This log has the Activity ID shown as well, and this can be correlated back to the error message that you might see in AD FS during login if ADFS is not working.