ADFS Diagnostic Tool

A huge thanks to the ADFS test team for developing such a great tool. 

 

Here is a quick "how to"

 

The tool is very simple to use and provides a graphical UI. In order to perform distributed diagnosis, i.e. diagnose failures based on the configuration of multiple machines in the scenario, it’s necessary to copy the out file generated by the tool each time it’s run and use it as an input/output file when running the tool on the next machine.

 

For example, to debug a scenario with an FS at the account role (FS-A), an FS at the resource role (FS-R) and a Web Server (WS), first run the tool on the FS-A selecting a new file, say adfsdiag.out. After the tool is run, this file will now contain configuration information relative to the FS-A. Copy the file to the FS-R machine and run the tool there, this time selecting the existing adfsdiag.out file. The tool will detect it already contains information relative to other roles and will execute extra configuration checks, for example, a claim flow check that verifies the outgoing claims sent by the FS-A match the incoming claims expected by the FS-R. After this second run, adfsdiag.out will contain information relative to both the FS-A and FS-R. Finally, copy the out file to the WS machine and run the tool again following the same steps. When running the tool for a role for which there’s already information present in the selected file, the old data for that role will be overwritten with the new information, making it possible to fix errors on a machine and re-run the tool without having to start the whole process all over again. There’s no “right order” to run the tool, all of them should give the same output, except for some certificate checks that will only be executed at the WS in case the information from the FS-R is available beforehand

 

Please give this tool a try and provide any feedback to this blog.

ADFSDiag.zip