How to Audit SSO
You can use the MMC Snap-In or the command line to set both the positive and negative auditing levels. Results of the auditing are stored in both the event logs and the audit logs of the database.
SSO administrators can set the positive and negative audit levels that suit their corporate policies. You can set positive and negative audits to one of the following levels:
0 = None
1 = Low
2 = Medium
3 = High. This level issues as many audit messages as possible.
The default value for positive auditing is 0 (none), and the default value for negative auditing is 1(low).
To change the database level auditing, you must update the SSO database using an XML file. A sample XML file for updating the SSO database is:
<sso>
<globalnfo>
<auditDeletedApps>1000</auditDeletedApps>
<auditDeletedMappings>1000</auditDeletedMappings>
<auditCredentialLookups>1000</auditCredentialLookups>
</globalInfo>
</sso>
On the Start menu, click All Programs, click Microsoft Enterprise Single Sign-On, and then click SSO Administration.
In the scope pane of the ENTSSO MMC Snap-In, expand the Enterprise Single Sign-On node.
Right-click System, and then click Properties.
On the System Properties dialog box, click the Audits tab.
Enter the appropriate settings, and click OK.
On the Start menu, click Run, and then type cmd.
At the command line prompt, go to the Enterprise Single Sign-On installation directory. The default installation directory is <drive>:\Program Files\Common Files\Enterprise Single Sign-On.
Type ssoconfig –auditlevel <positive><negative>, where <positive> is the level of auditing when actions succeed, and <negative> is the level of auditing when actions fail.
Note
On a system that supports User Account Control (UAC), you may need to run the tool with Administrative privileges.
Click Start, click Run, and then type cmd.
At the command line prompt, go to the Enterprise Single Sign-On installation directory. The default installation directory is <drive>:\Program Files\Common Files\Enterprise Single Sign-On.
Type ssomanage –updatedb <update file>, where <update file>is the path and name of the file.
Note
On a system that supports User Account Control (UAC), you may need to run the tool with Administrative privileges.