You might find the script below useful in one of two cases.
First, if you are using an AD FS web application proxy for federated login and you have a Windows Authentication-only app that has delegated access to that proxy, you can use the script below to extract and format event ID 14008 from the Windows Server event log.
Event ID 14008 is what the WAP stores in the event log when it has created a Kerberos ticket for an incoming user whose claims have been authenticated by an external claims provider trust.
Second, if you’ve ever wanted to parse out the text that’s in the “messages” field of an event log entry, this script shows a technique you can use. It may not be especially elegant as it uses split() rather liberally. But it’s effective because the log format is fixed and once you split any given message from an event log entry, the fields you might be interested in are always in the same member of the array created by the split.
This is just a quick-and-dirty script. But I like it because it summarizes user logins in a shareable way. I hope you find it useful as well.
<#
Lists event 14008 from the WAP proxy event log and saves them to a csv on the desktop
an 2023-06-08
#>
$objArray = @()
$events = Get-WinEvent -LogName "Microsoft-Windows-WebApplicationProxy/Admin" | Where-Object ID -like "*14008*"
foreach ($event in $events) {
$messageText = $event.Message.split("`n")
$upn = $messageText[9].split(" ")[1]
$userDisplayName = $null
$userDisplayName = (Get-ADUser -Identity $upn.split("@")[0] -Properties *).DisplayName
$obj = New-Object -TypeName PSObject -Property ([ordered]@{
"timeCreatedUtc" = $event.TimeCreated
"status" = $messageText[0]
"publishedApp" = $messageText[5].split(" ")[3]
"publishedAppExternalUrl" = $messageText[7].split(" ")[4]
"publishedAppBackendlUrl" = $messageText[8].split(" ")[3]
"upn" = $messageText[9].split(" ")[1]
"userDisplayName" = $userDisplayName
"tokenState" = $messageText[12]
})
$objArray += $obj
}
$objArray | Export-Csv $home/desktop/14008Events.csv
Leave a Reply