Alberto Ortega’s Blog

Before OpsMgr ACS is able to collect token related audit events (Event ID 299), auditing needs to be enabled on each Geneva Server on the farm. This will create a lot of audits, which you may need to filer using Noise Filtering on your assigned Audit Collector Server, I will cover how we achieved noise filtering on our platform on other post, for now, I want to share a couple of easy steps to centrally enable audits on your Geneve Servers,

1)  In Geneva Server MMC for each Geneva Server on the farm

1. Root node
2. Edit Service Properties
3. Check “Success” and “Failure” Events

2) In Active Directory

1. Create a GPO and link to the Geneva Servers OU
2. Enable Audits
   1. Navigate to Security Settings->Local Policies->Audit Policy.
   2. Click on the  “Audit object access” Security Setting on the list view at the right side pane.
   3. On the “Local Security Setting” tab, click the “[ ] Success” and/or “[ ] Failure” check boxes according to your needs.
3. Give Permissions to the account
   1. Click Security Settings -> Local Policies -> User Rights Assignment.
   2. Double click “Generate Security Audits” and add the account of your service to Local Security Settings (you can verify service account by opening “services.msc”, and checking the “Microsoft “Geneva” Server” log on account)

Happy auditing!