ADFS Performance Statistics & NLB Requirements

  • Article

performance-monitor-iconThis is something that I get asked quite a lot in terms of gathering performance metrics for AD FS and the quick answer is just use performance monitor built into windows as this gives you some good statistics, especially for AD FS on Server 2012 R2. furthermore, it also helps you identify potential issues with your NLB configuration as it will give you clear information as to how many requests each node in your AD FS farm is handling and in the past this has helped identify NLB related issues caused due to mis-configuration which can then cause congestion related issues, rejected requests high-cpu utilization on 1 node.

First of all, I want to cover off the recommendations for configuration Hardware Network Load Balancers for Active Directory Federation Services

 

If you are using a hardware network load balancer you should ensure it is in the following configuration state:

  • Stickiness and/or Cookie Tracking is DISABLED
  • Round Robin / Least Busy Server Load Balancing Algorithm.

This ensures that connection requests do not keep being sent to the same server due to stickiness, many people seem to configure this based on SourceIP or something similar but because this may actually be the same for so many hundred requests if all the connections end up going to one AD FS server [potentially due to an outage on 1] then the connections will never balance themselves back-out again causing one AD FS node to become heavily utilized.

There are other scenarios too, but if you stick to the above configuration state then this will at least send you down a good path! :)

furthermore, if you are interested in gathering performance data for your AD FS environment you can do this using perfmon.exe which is part of the Windows Server Build.

  1. Launch Perfmon.exe from RUN or SEARCH
  2. Data Collector Sets > User Defined > Right Click > New > Data Collector Set
  3. Type Friendly Name & Select 'Create Manually', Click Next
  4. Select Performance Counter
  5. Add the respective counters as per the below list
  6. Select Directory to Store Performance Files
  7. Run As Default
  8. Click Finish

Performance Counters for: ADFS Server [Server 2012 R2]

<CounterDisplayName>.NET CLR Networking*</CounterDisplayName>
<CounterDisplayName>AD FS*</CounterDisplayName>
<CounterDisplayName>ServiceModelEndpoint 3.0.0.0*</CounterDisplayName>
<CounterDisplayName>ServiceModelOperation 3.0.0.0*</CounterDisplayName>
<CounterDisplayName>ServiceModelService 3.0.0.0*</CounterDisplayName>
<CounterDisplayName>ServiceModelEndpoint 4.0.0.0*</CounterDisplayName>
<CounterDisplayName>ServiceModelOperation 4.0.0.0*</CounterDisplayName>
<CounterDisplayName>ServiceModelService 4.0.0.0(*)*</CounterDisplayName>
<CounterDisplayName>TCPv4*</CounterDisplayName>
<CounterDisplayName>TCPv6*</CounterDisplayName>
<CounterDisplayName>Memory*</CounterDisplayName>
<CounterDisplayName>Network Interface(*)*</CounterDisplayName>
<CounterDisplayName>Process(Microsoft.IdentityServer.ServiceHost)*</CounterDisplayName>
<CounterDisplayName>Process(Microsoft.DeviceRegistration.ServiceHost)*</CounterDisplayName>
<CounterDisplayName>Process(lsass)*</CounterDisplayName>

Performance Counters for: Web Application Proxy [Server 2012 R2]

  <CounterDisplayName>.NET CLR Networking*</CounterDisplayName>
<CounterDisplayName>AD FS Proxy*</CounterDisplayName>
<CounterDisplayName>IPv4*</CounterDisplayName>
<CounterDisplayName>IPv6*</CounterDisplayName>
<CounterDisplayName>Memory*</CounterDisplayName>
<CounterDisplayName>Network Interface(*)*</CounterDisplayName>
<CounterDisplayName>Process(AppProxy)*</CounterDisplayName>
<CounterDisplayName>Process(Microsoft.IdentityServer.ProxyService)*</CounterDisplayName>
<CounterDisplayName>Process(WebAppProxyController)*</CounterDisplayName>
<CounterDisplayName>Process(lsass)*</CounterDisplayName>
<CounterDisplayName>ServiceModelEndpoint 4.0.0.0*</CounterDisplayName>
<CounterDisplayName>ServiceModelOperation 4.0.0.0*</CounterDisplayName>
<CounterDisplayName>ServiceModelService 4.0.0.0*</CounterDisplayName>
<CounterDisplayName>Web Application Proxy*</CounterDisplayName>

Performance Counters for: ADFS 2.0 [Server 2008 R2]

  <CounterDisplayName>AD FS 2.0*</CounterDisplayName>
<CounterDisplayName>APP_POOL_WAS(ADFSAppPool)*</CounterDisplayName>
<CounterDisplayName>ASP.NET*</CounterDisplayName>
<CounterDisplayName>Memory*</CounterDisplayName>
<CounterDisplayName>Network Interface(*)*</CounterDisplayName>
<CounterDisplayName>Process(Microsoft.IdentityServer.ServiceHost)*</CounterDisplayName>
<CounterDisplayName>Process(lsass)*</CounterDisplayName>
<CounterDisplayName>TCPv4*</CounterDisplayName>
<CounterDisplayName>TCPv6*</CounterDisplayName>
<CounterDisplayName>Web Service(Default Web Site)*</CounterDisplayName>
<CounterDisplayName>ServiceModelEndpoint 3.0.0.0*</CounterDisplayName>
<CounterDisplayName>ServiceModelOperation 3.0.0.0*</CounterDisplayName>
<CounterDisplayName>ServiceModelService 3.0.0.0*</CounterDisplayName>
<CounterDisplayName>.NET CLR Networking(_global_)*</CounterDisplayName>

Performance Counters for: ADFS 2.0 Proxy [Server 2008 R2]

  <CounterDisplayName>.NET CLR Networking(_global_)*</CounterDisplayName>
<CounterDisplayName>AD FS 2.0 Proxy*</CounterDisplayName>
<CounterDisplayName>APP_POOL_WAS(ADFSAppPool)*</CounterDisplayName>
<CounterDisplayName>APP_POOL_WAS(*)*</CounterDisplayName>
<CounterDisplayName>Memory*</CounterDisplayName>
<CounterDisplayName>Network Interface*</CounterDisplayName>
<CounterDisplayName>Process(Microsoft.IdentityServer.ServiceHost)*</CounterDisplayName>
<CounterDisplayName>Process(lsass)*</CounterDisplayName>
<CounterDisplayName>Process(w3wp)*</CounterDisplayName>
<CounterDisplayName>ServiceModelEndpoint 3.0.0.0*</CounterDisplayName>
<CounterDisplayName>ServiceModelOperation 3.0.0.0*</CounterDisplayName>
<CounterDisplayName>ServiceModelService 3.0.0.0*</CounterDisplayName>
<CounterDisplayName>TCPv4*</CounterDisplayName>
<CounterDisplayName>TCPv6*</CounterDisplayName>
<CounterDisplayName>W3SVC_W3WP(_Total)*</CounterDisplayName>
<CounterDisplayName>Web Service(Default Web Site)*</CounterDisplayName>

You can find Templates that I have created if you wish to import these yourself:

 ADFS 2.0  ADFS 2.0 Proxy  ADFS [Server 2012 R2]  WAP [Server 2012 R2]
 FileName:Perfmon_Template_ADFS  FileName:Perfmon_Template_ADFS_Proxy  FileName:Perfmon_Template_ADFS_3.0  FileName:Perfmon_Template_WAP

Download: ADFS_Perfmon_Templates

You will find that there are quite a lot of counters here that will be logged, and it will depend on the issue you are attempting to troubleshoot as to what counters will be of importance but at least if you have this at hand. If you are looking into congestion, or performance load issues then you may want to look at things such as the following which are viewable in the ADFS, Proxy & WAP counter:

  • Token Requests/Sec
  • Token Requests
  • *Authentication Failures
  • ExtranetAccountLockouts
  • RequestLatency
  • RejectedRequests/Sec
  • RejectedRequests
  • OutstandingRequests

I hope that this helps, if you have any questions please be sure to let me know.

James.