Logging authentication events is important for auditing, troubleshooting, and security monitoring of your Mi-Token environment. Mi-Token logs events to the Windows event logs by default, but you need to ensure the appropriate auditing settings are enabled.
Here's how:
1. Enable Windows Security Auditing
- Open the Group Policy Management Console (gpmc.msc)
- Browse to Forest > Domains > Your Domain > Default Domain Policy
- Right-click "Default Domain Policy" and click Edit
- Drill down to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > DS Access
- Double-click "Audit Directory Service Changes" and ensure "Configure the following audit events" is checked and "Success" is selected
- Click OK to close the policy editor
- Back on the server, open a command prompt and run gpupdate /force to apply the new policy settings
2. Configure NPS Logging
- Open the Network Policy Server management console
- Right-click "NPS (Local)" and select "Properties"
- Go to the "Accounting" tab
- Configure the log file format and location as desired. By default, NPS logs to %SystemRoot%\System32\Logfiles in the IAS format.
- Click Apply and OK to save the settings
3. Enable RADIUS Accounting (Optional)
- If your RADIUS client devices support RADIUS accounting, you can enable it to log additional details about authentication requests
- In the NPS management console, right-click on the RADIUS client and select "Properties"
- Check the "Enable RADIUS accounting for this RADIUS client" option
- Click Apply and OK to save
4. Configure SQL Server Logging (Optional)
- If you're using Mi-Token Reporting, you can enable SQL Server logging to capture database activity
- Open SQL Server Management Studio and connect to your Mi-Token database server
- Right-click the server and select "Properties"
- Go to the "Security" tab and ensure "Login auditing" is set to "Failed logins only" or "Both failed and successful logins"
- Go to the "Management" tab and ensure "Default Trace Enabled" is checked
- Click OK to save
- Expand "Management" > "SQL Server Logs" to view the logged events
5. Check Mi-Token Event Logs
- Mi-Token has its own event log that captures key events from the authentication process
- Open Event Viewer (eventvwr.msc)
- Expand "Applications and Services Logs" and look for the "Mi-Token" log
- Ensure events are being captured. If the log is missing or empty, double-check that the Mi-Token services are running.
With these settings configured, you should have robust logging of all Mi-Token authentication activity in your environment. Remember to secure the logged data, as it may contain sensitive information. Review the logs regularly for any anomalies or signs of attack.
If you're having trouble getting the logs you expect, double-check the service account permissions and make sure the Mi-Token services are running properly. Consult the Mi-Token documentation or contact support if you need further assistance.