Hello,

we had some issues with applying Windows updates on our ADFS Server. After investigation with MS it was figured out by them that it is related to a unexpected regkey:

HKLM\System\CurrentControlSet\services\eventlog\AD FS/Admin

Which is created by privacyideaADFSprovider

check event source

if (!([System.Diagnostics.EventLog]::SourceExists("privacyIDEAProvider"))) { New-EventLog -LogName "AD FS/Admin" -Source "privacyIDEAProvider" Write-Host "Log source created" }

This is causing that we also don’t see any sort of Logs from the ADFS at all. It also explains why this EventLog is shown as its own Node instead of a Channel in the MMC.

We are using ADFS Windows Server 2016.

Which windows update was problematic for you to apply? I can not confirm any of these issues with our test setups yet.

The command interferes with the logging capability specified by ADFS On a fresh installed system the Eventlog looks like this

After installing this Provider, the existing ADFS Event Node gets replaced and Admin isn't a child of "AD FS" instead we have a new registry path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\AD FS/Admin

I don't know why by now, but this breaks adfs logging for my system.

ADFS Windows Server 2016

Edit: I was able to fix it for myself

New-Eventlog -LogName "AD FS/Admin" -Source "AD FS" New-Eventlog -LogName "AD FS/Admin" -Source "privacyIDEAProvider"

And after that I renamed the wrong keys within HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog
to the following

Thanks for the information. I think the faulty part is in the install script: https://github.com/privacyidea/adfs-provider/blob/07ea721a17a336dcafff0bbcda51aabbb2016bb7/privacyIDEAADFSProvider/Install.ps1#L41

There is only -Source "privacyIDEAProvider but not "AD FS".

I think it would be better to use the default "Application" Log because MS is doing strange things with the AD FS Log node. (As you can see in the screenshot Admin is a child of "AD FS" but MS really uses the logname "AD FS/Admin"