see sharp RSS 2.0
# Tuesday, 08 July 2014
Had the following error viewing the debug log:

The requested operation cannot be performed over an enabled direct channel. The channel must first be disabled before performing the requested operation.

In short its because of the retention policy that has to be set:
First, disable log: wevtutil set-log "AD FS Tracing/Debug" /enabled:false
then set the tracelevel (see above:wevtutil sl "AD FS Tracing/Debug" /L:5) and clear an enable the log again: wevtutil set-log "AD FS Tracing/Debug" /enabled:true /quiet:true /retention:true /maxsize:153600

Check this KB article:

Loglevel 0 is off, 5 is Verbose

Tuesday, 08 July 2014 09:12:49 (Mitteleuropäische Sommerzeit, UTC+02:00)  #    -
# Monday, 28 January 2013

There is an interesting article on how to enable tracing/logging in AD FS 2.0 on MSDN.

However the brand new Version 2.1 is located in a slightly different place:

  1. the config file is no longer located in
    %ProgramFiles%\Active Directory Federation Services 2.0\Microsoft.IdentityServer.Servicehost.exe.config 
    instead you can find it here:
  2. Configure the System.diagnostics as stated in the article
  3. the wevtutil command has to use a different Provider.
    instead of
    wevtutil sl “AD FS 2.0 Tracing/Debug” /L:5 
    you have to use:

    wevtutil sl "AD FS Tracing/Debug" /L:5

  4. restart the AD FS Service

Monday, 28 January 2013 15:11:29 (Mitteleuropäische Zeit, UTC+01:00)  #    -
Authentication | Tracing
# Thursday, 22 April 2010

Troubleshooting a custom MA for FIM2010 starts usually with looking into the eventlog :-)

So in this case there was not much to see, so I added my .NET Trace statments to the code. Easy, but where to configure the switches? 

Finally i found that the MA is loaded by the FIM server itself so theres the config file too.

The server is still called MIISSERVER.EXE and located in

C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Bin

So just edit C:\Program Files\Microsoft Forefront Identity Manager\2010\Synchronization Service\Bin\miiserver.exe.config and add you listener and switches:

    <trace autoflush="true" indentsize="4">
        <add name="mylog"
             initializeData="c:\logs\mylog.log" />
      <add name="MySwitch" value="4"/>
Thursday, 22 April 2010 15:05:00 (Mitteleuropäische Sommerzeit, UTC+02:00)  #    -
FIM | Tracing
# Wednesday, 02 September 2009

I often have to diagnose CA 'misbehaviours' and its even more often when I have to lookup where the hell the logfiles are and hor to enable the logging. So a bit of googelingbinging and found this

Certification Authority Settings

  • Enable Certificate Services Debug Logging by running the following commands on the CA:
    certutil.exe -f -setreg ca\debug 0xffffffff
    Net Stop Certsvc && Net Start Certsvc
  • The following log files will be created:
    %SystemRoot%\certsrv.log (Certsrv.exe) Certificate Services
    %SystemRoot%\certutil.log (Certutil.exe)
    %SystemRoot%\certreq.log (Certreq.exe)
    %SystemRoot%\certmmc.log (Certmmc.dll) Certificate Services MMC snap-in
    %SystemRoot%\certocm.log (Certocm.dll) Certificate Services Setup

take a look, there are is more useful information there...


Ah, and if you use CLM/FIM this might be of interest as well:

Wednesday, 02 September 2009 20:49:27 (Mitteleuropäische Sommerzeit, UTC+02:00)  #    -
CLM | Tracing | CA
# Wednesday, 29 April 2009
You can increase the logging level of the Certificate service in the event log for troubleshooting.
This causes Certificate services to log more frequent and verbose Application Event log entries.
To increase the logging level of the Certificate service, run the command:

certutil -setreg ca\loglevel logginglevel

where logginglevel is the level you want to use, and then restart the service.

The following ranges are available:


taken from

and don't forget to restart the certificate services :-)

If you use CLM you may also want to set the loglevel for the Policy and Exit modules:

Policy module
Add a string value named Microsoft.Clm.PolicyModule to the following registry key:
Exit module
Add a string value named Microsoft.Clm.ExitModule in the following registry key:

Set the string value to the desired logging level (Info, Warning, Error or verbose), and then restart the CLM Service to apply the trace logging settings.

Policy module plugins
If you need logging for the CLM policy module plugins, you must create a config file.
Enabling trace logging for the policy module plug-ins causes CLM 2007 to write the error output to the system debug stream, viewable using DebugView.

To enable trace logging, you must create a config file for certsrv.exe file in the C:\WINDOWS\system32 folder.
Create a new text document and name it certsrv.exe.config;
open the new file and copy/paste the following configuration information (It's standard .NET tracing):

<?xml version="1.0" encoding="utf-8" ?>
  <trace autoflush="true" indentsize="2" />
    <add name="Microsoft.Clm.PolicyModulePlugins" value="4" />

Wednesday, 29 April 2009 18:48:59 (Mitteleuropäische Sommerzeit, UTC+02:00)  #    -
CLM | Tracing
# Friday, 13 February 2009
A trace filter is a nice thing, it can decide whether to log a message or not.

Two filters exist in the framework, and they are covered widely on MSDN.

Writing a custom filter is quite easy.
Just derive your filter class from  TraceFilter, override the one and only method ShouldTrace (which returns bool) and there you go.

Now the only thing left is to add the filter to the listener in your applications config file.

Happy Tracing...

Oh yes, here are the files:
Friday, 13 February 2009 14:35:41 (Mitteleuropäische Zeit, UTC+01:00)  #    -
Tracing | C#
<2018 October>
About the author/Disclaimer

The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.
Any link on this site may lead to an external website that is not under my control and that external website might show an opinion that is not mine.

© Copyright 2018
Hannes Köhler
Sign In
Total Posts: 39
This Year: 0
This Month: 0
This Week: 0
Comments: 1
All Content © 2018, Hannes Köhler
DasBlog theme 'Business' created by Christoph De Baene (delarou)