Tracing the source of failed authentications in ADFS 3.0 RRS feed

  • Question

  • We have an ADFS 3.0 farm (2 Primary, 2 Proxies) configured for Office365 authentication and Single Sign-On.  We have an account that is being locked out a few times everyday due to bad authentication attempts on the ADFS farm.  This account is used in quite a few different locations.  I can clearly in the logs when it gets locked out, but I need to know where the bad attempt is originating from, the source IP of the request.  I've not been able to find any clear direction for enabling this type of logging in ADFS 3.0 or Web Application Proxy.  Any suggestions? 
    Thursday, December 10, 2015 3:41 PM