How to determine users authenticate to an application via their UPN
Hi,
Can we understand if a user account authenticates to an application with their UserPrincipalName(UPN) by viewing Domain Controller event log records or some other logs on a Domain Controller? Our goal is to understand how many user accounts use
their UPN to authenticate to an applic
August 25th, 2015 11:16am
In event viewer select the log you want, then select "filter current log..." once you narrow down the items you specifically want to see you can create a custom view to see only those events.
August 25th, 2015 2:47pm
Thanks for the response.
In the event viewer, when I filter User Accounts for the ID I logged on with in the form,
ID@Domain.Com, I don't see any records however Im logged on to the DC using
ID@Domain.Com.
August 25th, 2015 5:29pm
just use the ID and drop the @domain.com.... You can also use the find section in event viewer to find a user name.... Once you identify the exact log you want to keep track of you can create a rule for that... Logon events are recorded in security log,
if the application has its own even log I can not tell you how to customize it.
August 25th, 2015 5:55pm
I don't see it when I filter that way as well. Im filtering the Security event log.
August 25th, 2015 5:59pm
In event viewer main page, select the log you want to view, on the right side there is an "action" section. There you can "filter current log..." or "find..."
August 25th, 2015 6:02pm
For how to filter Event Logs, please refer to this article:
https://technet.microsoft.com/en-us/library/cc722058.aspx
And for Logon events, we usually track 4624 event, the process info in the event usually identifies the program executable that processed the logon.
Regards,
Eth
August 26th, 2015 1:53am
What kind of an application is it? Does it have it's own event log for logons?
For how to filter Event Logs, please refer to this article:
https://technet.microsoft.com/en-us/library/cc722058.aspx
And for Logon events, we usually track 4624 event, the process info in the event usually identifies the program executable that processed the logon.
Regards,
Eth
August 26th, 2015 5:46am
I've been filtering event logs for quite some time and I don't see the data in the event logs.
August 26th, 2015 5:51pm
Windows records event logons in the security log but it may not record application logons... Does your application have an event log of some kind? What does it record? Do you need to enable the feature to show user logons?
August 26th, 2015 6:11pm
Hi SdeDot,
normally, in Active Directory security Event logs, it will only shows you CONTOSO\username no matter you log your using "user@contoso.com".
you will see it in the security event log with event ID 4624.
correct me if I am wrong.
August 26th, 2015 8:35pm
Thanks Aliyani.
I dont see anything in the form of UPN either.
August 27th, 2015 9:27am
Hi SdeDot,
I think only if the application are licked to the AD then you would be able to pick up the logon information of the particular user, as well your DC would created event ID.
Where is the application installed, on member server or the DC ?
if on a member server, may be try jedi_Aadministrator's suggestion
Regards
August 27th, 2015 9:41pm